# Chrome MCP Secure - Enterprise Configuration # Copy this file to .env and customize for your environment # ============================================================================== # CHROME CONNECTION # ============================================================================== CHROME_HOST=localhost CHROME_PORT=9222 # ============================================================================== # LOGGING # ============================================================================== # Log level: debug, info, warn, error LOG_LEVEL=info # Audit logging (hash-chained JSONL) AUDIT_LOGGING=true AUDIT_LOG_DIR=./logs # ============================================================================== # COMPLIANCE LOGGING (SIEM Integration) # ============================================================================== # Output format: jsonl, cef, syslog, json COMPLIANCE_LOG_FORMAT=jsonl # Log directory COMPLIANCE_LOG_DIR=./logs/compliance # Minimum severity to log (0-10, CEF scale) # 0=Unknown, 3=Low, 5=Medium, 7=High, 8=Very High, 10=Critical COMPLIANCE_MIN_SEVERITY=0 # Remote Syslog (RFC 5424) # SYSLOG_HOST=siem.company.com # SYSLOG_PORT=514 # CEF Header Customization CEF_DEVICE_VENDOR=Pantheon-Security CEF_DEVICE_PRODUCT=Chrome-MCP-Secure CEF_DEVICE_VERSION=2.3.0 # ============================================================================== # CREDENTIAL VAULT (Post-Quantum Encryption) # ============================================================================== # Base64-encoded 32-byte encryption key (recommended for production) # Generate with: openssl rand -base64 32 # CHROME_MCP_ENCRYPTION_KEY=your-base64-key-here # Credential time-to-live in memory (milliseconds, default: 5 minutes) CHROME_MCP_CREDENTIAL_TTL=300000 # ============================================================================== # SECRETS SCANNER # ============================================================================== # Enable/disable secrets scanning in responses CHROME_MCP_SECRETS_SCANNING=true # Block operations when secrets detected CHROME_MCP_SECRETS_BLOCK=false # Auto-redact detected secrets CHROME_MCP_SECRETS_REDACT=true # Minimum severity to report: low, medium, high, critical CHROME_MCP_SECRETS_MIN_SEVERITY=low # ============================================================================== # RESPONSE VALIDATION # ============================================================================== # Enable response validation CHROME_MCP_RESPONSE_VALIDATION=true # Block prompt injection attempts CHROME_MCP_BLOCK_PROMPT_INJECTION=true # Block suspicious URLs (shorteners, paste services) CHROME_MCP_BLOCK_SUSPICIOUS_URLS=true # ============================================================================== # SESSION MANAGEMENT # ============================================================================== # Enable session management CHROME_MCP_SESSION_MANAGEMENT=true # Maximum session lifetime (milliseconds, default: 8 hours) CHROME_MCP_SESSION_MAX_LIFETIME=28800000 # Inactivity timeout (milliseconds, default: 30 minutes) CHROME_MCP_SESSION_INACTIVITY=1800000 # ============================================================================== # MCP AUTHENTICATION # ============================================================================== # Enable token-based authentication CHROME_MCP_AUTH_ENABLED=false # Authentication token (auto-generated if not set) # CHROME_MCP_AUTH_TOKEN=your-secure-token # Token file path (alternative to CHROME_MCP_AUTH_TOKEN) # CHROME_MCP_AUTH_TOKEN_FILE=/etc/chrome-mcp/auth-token # Max failed auth attempts before lockout CHROME_MCP_AUTH_MAX_FAILED=5 # Lockout duration (milliseconds, default: 5 minutes) CHROME_MCP_AUTH_LOCKOUT_MS=300000 # ============================================================================== # CERTIFICATE PINNING # ============================================================================== # Enable certificate pinning CHROME_MCP_CERT_PINNING=true # Custom pins (format: domain1:pin1,pin2;domain2:pin3) # CHROME_MCP_CERT_PINS=internal.company.com:sha256/ABC123 # Cache TTL (milliseconds) CHROME_MCP_CERT_CACHE_TTL=3600000 # Report-only mode (log violations but don't block) CHROME_MCP_CERT_REPORT_ONLY=false # ============================================================================== # SCREENSHOT REDACTION # ============================================================================== # Enable automatic redaction of sensitive fields in screenshots CHROME_MCP_SCREENSHOT_REDACTION=true # Redaction overlay color CHROME_MCP_REDACTION_COLOR=#000000 # Redaction overlay text CHROME_MCP_REDACTION_TEXT=[REDACTED] # Additional CSS selectors to redact (comma-separated) # CHROME_MCP_REDACTION_SELECTORS=.sensitive-data,.pii-field