Skip to content

Environment

Jump to bottom
kittendevv edited this page Apr 26, 2026 · 7 revisions

Backend Configuration

  • ADMIN_USER: The username for the admin dashboard. Default: admin.
  • ADMIN_PASS: The password for the admin dashboard. Default: supersecret.
  • JWT_SECRET: Secret key for signing JWTs.
  • SESSION_TTL_SECONDS: Lifetime (in seconds) for issued JWT sessions. Minimum: 300, Maximum: 43200. Default: 3600.
  • COOKIE_SECURE: Set to false in local development if you need to test without Secure cookies. Default: true.
  • SECURE_HEADERS_DISABLED: Set to true to disable hardened security headers during local troubleshooting. Default: false.

Rate Limiting (Login)

  • RATE_LIMIT_ENABLED: Enable or disable rate limiting for the login endpoint. Default: true.
  • RATE_LIMIT_MAX_ATTEMPTS: Maximum failed login attempts before blocking. Default: 5.
  • RATE_LIMIT_WINDOW_SECONDS: Time window in seconds for rate limiting. Default: 900 (15 minutes).
  • RATE_LIMIT_TRUST_PROXY: Trust X-Forwarded-For header for client IP detection. Set to true when behind a reverse proxy (e.g., nginx, Apache, Caddy, or Docker with a reverse proxy). Default: false.

Security Headers

  • ENABLE_HSTS: Emit Strict-Transport-Security when requests arrive via HTTPS. Default: false.
  • CONTENT_SECURITY_POLICY: Override the default Content Security Policy for the backend API if custom hosts are needed. Example: 
    CONTENT_SECURITY_POLICY="default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'none'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'self'; connect-src 'self'"

Database Configuration

  • DATABASE_PATH: Path to the SQLite database file.
    • For Docker (recommended): /app/data/invio.db
    • For local development: ./invio.db

Demo Mode (Optional)

  • DEMO_MODE: When true, the app is writable but auto-resets from DEMO_DB_PATH at a fixed interval. Default: false.
  • DEMO_DB_PATH: Path to a pristine demo database snapshot used for resets. Example: /app/data/invio-demo.db.
  • DEMO_RESET_HOURS: Interval in hours between resets. Default: 0.5 (30 minutes).
  • DEMO_RESET_ON_START: Reset once on app start. Default: true.

Networking / Ports

  • BACKEND_PORT: Port for the backend server. Default: 3000.
  • FRONTEND_PORT: Port for the frontend server. Default: 8000.
  • FRONTEND_PORT_INTERNAL: Internal container port for the frontend. Default: 8000.

Frontend → Backend URL

  • BACKEND_URL: URL for the frontend to communicate with the backend.
    • For Docker Compose: http://backend:3000
    • For local development: http://localhost:3000

PDF Rendering

  • WEASYPRINT_BIN: Path to the weasyprint binary. Only needed if the path is not standard, as normal paths are checked automatically.

Frontend Security Headers

  • FRONTEND_SECURE_HEADERS_DISABLED: Set to true to disable hardened headers during local development. Default: false.
  • ENABLE_HSTS: Emit Strict-Transport-Security when served via HTTPS. Default: false.
  • FRONTEND_CONTENT_SECURITY_POLICY: Override the default Content Security Policy for the frontend if hosting assets elsewhere. Example: 
    FRONTEND_CONTENT_SECURITY_POLICY="default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:3000 https: ws: wss:; frame-ancestors 'none'; form-action 'self'; object-src 'none'; base-uri 'none'"

Clone this wiki locally