This page collects the most important config values.
See .env.example for defaults and required values.
- Where set:
.env(frontend container environment) - Purpose: Public URL the browser uses to call the backend.
- Gotcha: Must be reachable from the browser (host), not a Docker network alias.
- Where set:
.env(backend) - When required:
AUTH_MODE=local - Policy: Must be non-placeholder and at least 50 characters.
- Default:
1048576(1 MiB) - Purpose: Maximum accepted inbound webhook payload size before the API returns
413 Content Too Large.
- Default:
memory - Allowed values:
memory,redis - Purpose: Selects whether rate limits are tracked per-process in memory or shared through Redis.
- Default: (blank)
- When required:
RATE_LIMIT_BACKEND=redisandRQ_REDIS_URLis not set - Purpose: Redis connection string used for shared rate limits.
- Fallback: If blank and Redis rate limiting is enabled, the backend falls back to
RQ_REDIS_URL.
- Default: (blank)
- Purpose: Comma-separated list of trusted reverse-proxy IPs or CIDRs used to honor
Forwarded/X-Forwarded-Forclient IP headers. - Gotcha: Leave this blank unless the direct peer is a proxy you control.
These environment variables control security headers added to every API response. Set any variable to blank ("") to disable the corresponding header.
- Default:
nosniff - Purpose: Prevents browsers from MIME-type sniffing responses.
- Default:
DENY - Purpose: Prevents the API from being embedded in iframes.
- Note: If your deployment embeds the API in an iframe, set this to
SAMEORIGINor blank.
- Default:
strict-origin-when-cross-origin - Purpose: Controls how much referrer information is sent with requests.
- Default: (blank — disabled)
- Purpose: Restricts browser features (camera, microphone, etc.) when set.