diff --git a/.replit b/.replit
index 048618b..38d6c3e 100644
--- a/.replit
+++ b/.replit
@@ -27,6 +27,10 @@ externalPort = 3000
 localPort = 42175
 externalPort = 3002
 
+[[ports]]
+localPort = 45863
+externalPort = 3003
+
 [env]
 PORT = "5000"
 
diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
index a8d3ab8..5529425 100644
--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@@ -80,7 +80,7 @@ Lo script `setup-server.sh` installa automaticamente:
 ✅ **PostgreSQL 15**
 - Database relazionale
 - User: `vigilanza_user`
-- Password: `553da84c94093919d46055d6ec37dfa2a03d0f46`
+- Password: **Generata automaticamente** (salvata in `/root/.vigilanza_db_password`)
 - Database: `vigilanza_turni`
 
 ✅ **PM2**
@@ -140,16 +140,21 @@ cp .env.production.example .env
 nano .env
 ```
 
-**File .env completo:**
+**Recupera password e crea .env:**
 
 ```bash
+# Recupera password da file sicuro
+DB_PASS=$(grep PGPASSWORD /root/.vigilanza_db_password | cut -d= -f2)
+
+# Crea .env con password reale (non shell var)
+cat > .env << EOF
 # Database
-DATABASE_URL=postgresql://vigilanza_user:553da84c94093919d46055d6ec37dfa2a03d0f46@localhost:5432/vigilanza_turni
+DATABASE_URL=postgresql://vigilanza_user:${DB_PASS}@localhost:5432/vigilanza_turni
 PGHOST=localhost
 PGPORT=5432
 PGDATABASE=vigilanza_turni
 PGUSER=vigilanza_user
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46
+PGPASSWORD=${DB_PASS}
 
 # Session (genera nuovo)
 SESSION_SECRET=$(openssl rand -base64 32)
@@ -166,6 +171,15 @@ BACKUP_RETENTION_DAYS=30
 
 # Logging
 LOG_LEVEL=info
+EOF
+
+echo "✅ File .env creato con password sicura"
+```
+
+**Verifica .env creato:**
+```bash
+cat .env | grep DATABASE_URL
+# Deve mostrare password reale, non ${DB_PASS}
 ```
 
 ---
@@ -250,23 +264,26 @@ pm2 monit
 
 **Backup Manuale:**
 ```bash
+# Carica password da file sicuro
+export $(cat /root/.vigilanza_db_password | xargs)
+
 BACKUP_FILE="/var/backups/vigilanza-turni/backup_manual_$(date +%Y%m%d_%H%M%S).sql"
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  pg_dump -h localhost -U vigilanza_user -d vigilanza_turni > $BACKUP_FILE
+pg_dump -h localhost -U vigilanza_user -d vigilanza_turni > $BACKUP_FILE
 gzip $BACKUP_FILE
 echo "Backup salvato: ${BACKUP_FILE}.gz"
 ```
 
 **Ripristino Backup:**
 ```bash
+# Carica password da file sicuro
+export $(cat /root/.vigilanza_db_password | xargs)
+
 # Lista backup disponibili
 ls -lht /var/backups/vigilanza-turni/*.gz
 
 # Ripristina specifico backup
 BACKUP_FILE="/var/backups/vigilanza-turni/backup_20250116_143022.sql.gz"
-gunzip -c $BACKUP_FILE | \
-  PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni
+gunzip -c $BACKUP_FILE | psql -h localhost -U vigilanza_user -d vigilanza_turni
 
 # Restart applicazione
 pm2 restart vigilanza-turni
@@ -274,8 +291,10 @@ pm2 restart vigilanza-turni
 
 **Accesso Database:**
 ```bash
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni
+# Carica password da file sicuro
+export $(cat /root/.vigilanza_db_password | xargs)
+
+psql -h localhost -U vigilanza_user -d vigilanza_turni
 ```
 
 ### Log Management
@@ -363,8 +382,8 @@ sudo firewall-cmd --list-all
 
 ```bash
 # 1. Verifica connessione
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
+export $(cat /root/.vigilanza_db_password | xargs)
+psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
 
 # 2. Check PostgreSQL
 sudo systemctl status postgresql
@@ -428,8 +447,8 @@ pm2 monit
 sudo tail -f /var/log/nginx/vigilanza-turni-access.log
 
 # 4. Database performance
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni -c \
+export $(cat /root/.vigilanza_db_password | xargs)
+psql -h localhost -U vigilanza_user -d vigilanza_turni -c \
   "SELECT query, calls, mean_exec_time FROM pg_stat_statements ORDER BY mean_exec_time DESC LIMIT 10;"
 ```
 
@@ -440,10 +459,9 @@ PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
 pm2 stop vigilanza-turni
 
 # 2. Ripristina database
+export $(cat /root/.vigilanza_db_password | xargs)
 BACKUP_FILE=$(ls -t /var/backups/vigilanza-turni/*.gz | head -1)
-gunzip -c $BACKUP_FILE | \
-  PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni
+gunzip -c $BACKUP_FILE | psql -h localhost -U vigilanza_user -d vigilanza_turni
 
 # 3. Git rollback
 cd /var/www/vigilanza-turni
diff --git a/QUICKSTART-DEPLOYMENT.md b/QUICKSTART-DEPLOYMENT.md
index 23069ce..8c081f4 100644
--- a/QUICKSTART-DEPLOYMENT.md
+++ b/QUICKSTART-DEPLOYMENT.md
@@ -30,11 +30,13 @@ sudo bash deploy/setup-server.sh
 
 Lo script installa automaticamente:
 - Node.js 20
-- PostgreSQL 15 (con password: 553da84c94093919d46055d6ec37dfa2a03d0f46)
+- PostgreSQL 15 (password autogenerata)
 - PM2
 - Nginx
 - Certbot (SSL)
 
+⚠️ **Password DB salvata in:** `/root/.vigilanza_db_password`
+
 ### 2️⃣ Configura Nginx (2 min)
 
 ```bash
@@ -54,20 +56,41 @@ sudo certbot --nginx -d vt.alfacom.it
 ```bash
 cd /var/www/vigilanza-turni
 
-# Crea .env produzione
-cp .env.production.example .env
-nano .env
-```
-
-**Inserisci in .env:**
-```bash
-DATABASE_URL=postgresql://vigilanza_user:553da84c94093919d46055d6ec37dfa2a03d0f46@localhost:5432/vigilanza_turni
+# Recupera password DB da file sicuro
+DB_PASS=$(grep PGPASSWORD /root/.vigilanza_db_password | cut -d= -f2)
 SESSION_SECRET=$(openssl rand -base64 32)
+
+# Crea .env con valori reali (no shell variables)
+cat > .env << EOF
+# Database
+DATABASE_URL=postgresql://vigilanza_user:${DB_PASS}@localhost:5432/vigilanza_turni
+PGHOST=localhost
+PGPORT=5432
+PGDATABASE=vigilanza_turni
+PGUSER=vigilanza_user
+PGPASSWORD=${DB_PASS}
+
+# Session
+SESSION_SECRET=${SESSION_SECRET}
+
+# Application
 NODE_ENV=production
 PORT=5000
 APP_URL=https://vt.alfacom.it
+
+# Backup
 BACKUP_ENABLED=true
 BACKUP_DIR=/var/backups/vigilanza-turni
+LOG_LEVEL=info
+EOF
+
+echo "✅ File .env creato"
+```
+
+**Verifica:**
+```bash
+cat .env | grep DATABASE_URL
+# Deve mostrare password reale, non variabili shell
 ```
 
 ### 4️⃣ Primo Deploy (2 min)
@@ -118,9 +141,9 @@ pm2 restart vigilanza-turni
 # Verifica backup
 ls -lht /var/backups/vigilanza-turni/
 
-# Ripristina backup
+# Ripristina backup (usa password da file)
+export $(cat /root/.vigilanza_db_password | xargs)
 gunzip -c /var/backups/vigilanza-turni/backup_20250116_143022.sql.gz | \
-  PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
   psql -h localhost -U vigilanza_user -d vigilanza_turni
 ```
 
@@ -137,9 +160,9 @@ sudo systemctl reload nginx
 
 **Errore database:**
 ```bash
-# Verifica connessione
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
+# Verifica connessione (usa password da file)
+export $(cat /root/.vigilanza_db_password | xargs)
+psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
 ```
 
 **Build fallito:**
diff --git a/deploy/setup-server.sh b/deploy/setup-server.sh
index b6bf1cc..6152a63 100644
--- a/deploy/setup-server.sh
+++ b/deploy/setup-server.sh
@@ -50,8 +50,13 @@ postgresql-setup --initdb
 systemctl enable postgresql
 systemctl start postgresql
 
-# Password database fornita dall'utente
-DB_PASSWORD="553da84c94093919d46055d6ec37dfa2a03d0f46"
+# Genera password sicura PostgreSQL (o usa variabile ambiente)
+if [ -z "$DB_PASSWORD" ]; then
+    DB_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-25)
+    log_warn "Password PostgreSQL generata automaticamente"
+else
+    log_info "Uso password PostgreSQL da variabile DB_PASSWORD"
+fi
 
 # Creazione database e utente
 log_info "Configurazione database..."
@@ -63,7 +68,10 @@ GRANT ALL PRIVILEGES ON DATABASE vigilanza_turni TO vigilanza_user;
 GRANT ALL ON SCHEMA public TO vigilanza_user;
 EOF
 
-log_info "✅ Database configurato con password fornita"
+# Salva password in file sicuro
+echo "PGPASSWORD=${DB_PASSWORD}" > /root/.vigilanza_db_password
+chmod 600 /root/.vigilanza_db_password
+log_info "✅ Database configurato - Password salvata in /root/.vigilanza_db_password"
 
 # Configurazione PostgreSQL per connessioni locali
 log_info "Configurazione autenticazione PostgreSQL..."
@@ -115,5 +123,11 @@ echo "3. Crea file .env con DATABASE_URL (password già configurata)"
 echo "4. Ottieni certificato SSL: sudo certbot --nginx -d vt.alfacom.it"
 echo "5. Esegui primo deploy: bash deploy/deploy.sh"
 echo ""
+log_warn "⚠️  IMPORTANTE - Password PostgreSQL:"
+echo "Salvata in: /root/.vigilanza_db_password"
+echo ""
 log_info "DATABASE_URL per .env:"
-echo "postgresql://vigilanza_user:${DB_PASSWORD}@localhost:5432/vigilanza_turni"
+echo "postgresql://vigilanza_user:PASSWORD_DA_FILE@localhost:5432/vigilanza_turni"
+echo ""
+echo "Recupera password con:"
+echo "  cat /root/.vigilanza_db_password"