# Deployment Configuration

**Date:** 2026-03-11T11:59:39Z

## Hosting Model

- Windows IIS
- `public/` configured as the site root
- `public/Default.asp` as the default document
- URL Rewrite sends non-static requests through the ASP front controller

## Runtime Configuration

Primary deployment configuration is stored in `public/web.config`.

### Important Settings

- `ConnectionString`
- `Environment`
- `FlashMessageTimeout`
- `Error404RedirectSeconds`
- `CacheExpirationYear`
- `EnableErrorLogging`
- `ErrorLogPath`
- `KeycloakBaseUrl`
- `KeycloakRealm`
- `KeycloakClientId`
- `KeycloakClientSecret`
- `KeycloakRedirectUri`
- `KeycloakLogoutRedirectUri`
- `KeycloakAllowedClockSkewSeconds`
- `KeycloakHttpResolveTimeoutMs`
- `KeycloakHttpConnectTimeoutMs`
- `KeycloakHttpSendTimeoutMs`
- `KeycloakHttpReceiveTimeoutMs`
- `KeycloakEnableLogging`
- `KeycloakLogPath`

## Deployment Notes

- The Access DB path must be updated for the target machine.
- `ErrorLogPath` should be writable by the IIS application identity if enabled.
- Keep `KeycloakClientSecret` out of source control and inject it per environment.
- In `Production`, the login flow now rejects non-HTTPS or localhost Keycloak base, callback, and logout URLs.
- Static assets are expected under `public/` paths excluded from rewrite rules.

## Observed Gaps

- No container, CI/CD, or infrastructure-as-code deployment config was detected.
- Deployment is currently documented as a manual IIS-based process.