diff --git a/.gitignore b/.gitignore
index 10226e6..753ab51 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,10 @@
+# Environment files (NEVER commit secrets!)
+.env
+.env.local
+.env.*.local
+*.env
+!.env.example
+
 # IDE
 .vscode/
 .idea/
diff --git a/backend/.env b/backend/.env
deleted file mode 100644
index a610db5..0000000
--- a/backend/.env
+++ /dev/null
@@ -1,22 +0,0 @@
-# Database
-MYSQL_HOST=mysql.theaken.com
-MYSQL_PORT=33306
-MYSQL_USER=A060
-MYSQL_PASSWORD=WLeSCi0yhtc7
-MYSQL_DATABASE=db_A060
-
-# Redis
-REDIS_HOST=localhost
-REDIS_PORT=6379
-REDIS_DB=0
-
-# JWT
-JWT_SECRET_KEY=pjctrl-jwt-secret-key-2024-change-in-production
-JWT_ALGORITHM=HS256
-JWT_EXPIRE_MINUTES=15
-
-# External Auth API
-AUTH_API_URL=https://pj-auth-api.vercel.app
-
-# System Admin
-SYSTEM_ADMIN_EMAIL=ymirliu@panjit.com.tw
diff --git a/backend/.env.example b/backend/.env.example
index 32745de..cbcd274 100644
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -1,9 +1,9 @@
 # Database
-MYSQL_HOST=mysql.theaken.com
-MYSQL_PORT=33306
-MYSQL_USER=A060
-MYSQL_PASSWORD=your_password_here
-MYSQL_DATABASE=db_A060
+MYSQL_HOST=your-mysql-host
+MYSQL_PORT=3306
+MYSQL_USER=your-username
+MYSQL_PASSWORD=your-password-here
+MYSQL_DATABASE=your-database
 
 # Redis
 REDIS_HOST=localhost
@@ -13,13 +13,13 @@ REDIS_DB=0
 # JWT
 JWT_SECRET_KEY=generate-a-random-secret-key-here
 JWT_ALGORITHM=HS256
-JWT_EXPIRE_MINUTES=15
+JWT_EXPIRE_MINUTES=60
 
 # External Auth API
-AUTH_API_URL=https://pj-auth-api.vercel.app
+AUTH_API_URL=https://your-auth-api-url
 
 # System Admin
-SYSTEM_ADMIN_EMAIL=ymirliu@panjit.com.tw
+SYSTEM_ADMIN_EMAIL=admin@example.com
 
 # File Encryption (AES-256)
 # Master key for encrypting file encryption keys (optional - if not set, file encryption is disabled)