Before you promote Billar Pro Backend beyond a local development machine there are several defaults that must change. The project ships with hardcoded passwords, an auto-schema-update JPA mode, SQL logging enabled, CORS locked toDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ierinconc/billar-pro-backend/llms.txt
Use this file to discover all available pages before exploring further.
localhost:5173, a seed admin account with a known password, and — most critically — a JWT signing key that is randomly generated fresh on every startup. Each of these is intentional and convenient for development, but unsafe in production. This page walks through every required change before going live.
Production deployment steps
Build the JAR
Billar Pro Backend is built on Spring Boot 3.5.11 and requires Java 21 (Package the application, skipping tests to speed up the build:The executable JAR is written to:
java.version=21 in pom.xml). Verify your runtime before building:Configure a production database
Use a managed PostgreSQL service (e.g. Amazon RDS, Google Cloud SQL, Supabase, Railway) rather than a local Docker container. Once you have a connection string, update your
application.yml (or supply environment variables) to point at the production host.Critically, change ddl-auto from update to validate. With update, Hibernate silently alters your production schema on every boot — a very easy way to cause data loss or downtime:validate will fail fast at startup if the database schema does not match the JPA entity model, giving you an early signal of a migration mismatch rather than silent corruption.Set environment variables
Never hardcode passwords or connection strings in committed files. Use environment variables (or a secrets manager such as AWS Secrets Manager, HashiCorp Vault, or Doppler) for all sensitive values. The Supply these in your deployment environment and reference them in
.env.example file documents the variables the application needs at runtime:application.yml:Update CORS to the production frontend origin
SecurityConfig.corsConfigurationSource() currently hardcodes the allowed origin as http://localhost:5173:https://app.billarpro.com). Leaving localhost:5173 in place means browsers will block all cross-origin requests from your deployed frontend.You can externalise this value into an environment variable to avoid code changes between environments:Change the default admin credentials
DataSeeder runs on every startup and, when the usuarios table is empty, creates an admin account with the well-known credentials:- Username:
admin - Password:
billar123
JWT token invalidation on restart
Tokens are valid for 10 hours (EXPIRACION = 1000 * 60 * 60 * 10 milliseconds) from the time of issue. Plan your deployment windows accordingly — a scheduled restart will log out every active user.
Security checklist
Production security checklist
Production security checklist
Review every item before your first production deployment:
-
Rotate admin password after first run —
DataSeederseedsadmin/billar123on an empty database. Change the password immediately via the API after the initial startup against the production database. - Use HTTPS behind a reverse proxy — the Spring Boot app listens on plain HTTP port 8080. Place it behind a TLS-terminating reverse proxy such as Nginx, Caddy, or an AWS Application Load Balancer. Never expose port 8080 directly to the public internet.
-
Set
spring.jpa.show-sql: false— the defaultapplication-example.ymlsets this totrue. SQL statements written to application logs can expose schema details and query patterns to anyone with log access. -
Set
spring.jpa.hibernate.ddl-auto: validate— the example configuration usesupdate, which lets Hibernate modify the live schema automatically. Usevalidatein production so any schema drift causes a startup failure rather than silent alteration. -
Restrict CORS to your actual frontend origin —
SecurityConfigallowshttp://localhost:5173by default. UpdatecorsConfigurationSource()to your real frontend URL before going live. -
Externalise the JWT signing key — the current
JwtUtilgenerates a new random key withKeys.secretKeyFor(SignatureAlgorithm.HS256)on every startup, which means every application restart invalidates all issued tokens. For production, persist a stable key in a secret store and inject it via an environment variable so tokens survive restarts and rolling deployments.