Disable show_password_hint by default

A setting that provides unauthenticated access to potentially sensitive data shouldn't be enabled by default.
2025-11-07 12:53:01 -05:00 · 2021-07-10 01:20:37 -07:00
parent 3968bc8016
commit 8ee5d51bd4
2 changed files with 8 additions and 5 deletions
--- a/.env.template
+++ b/.env.template
@@ -210,8 +210,10 @@
 ## The change only applies when the password is changed
 # PASSWORD_ITERATIONS=100000

-## Whether password hint should be sent into the error response when the client request it
-# SHOW_PASSWORD_HINT=true
+## Controls whether a password hint should be shown directly in the web page if
+## SMTP service is not configured. Not recommended for publicly-accessible instances
+## as this provides unauthenticated access to potentially sensitive data.
+# SHOW_PASSWORD_HINT=false

 ## Domain settings
 ## The domain must match the address from where you access the server