2.7 KiB
2.7 KiB
Configuration reference
This page collects the most important config values.
Root .env (Compose)
See .env.example for defaults and required values.
NEXT_PUBLIC_API_URL
- Where set:
.env(frontend container environment) - Purpose: Public URL the browser uses to call the backend.
- Gotcha: Must be reachable from the browser (host), not a Docker network alias.
LOCAL_AUTH_TOKEN
- Where set:
.env(backend) - When required:
AUTH_MODE=local - Policy: Must be non-placeholder and at least 50 characters.
WEBHOOK_MAX_PAYLOAD_BYTES
- Default:
1048576(1 MiB) - Purpose: Maximum accepted inbound webhook payload size before the API returns
413 Content Too Large.
RATE_LIMIT_BACKEND
- Default:
memory - Allowed values:
memory,redis - Purpose: Selects whether rate limits are tracked per-process in memory or shared through Redis.
RATE_LIMIT_REDIS_URL
- Default: (blank)
- When required:
RATE_LIMIT_BACKEND=redisandRQ_REDIS_URLis not set - Purpose: Redis connection string used for shared rate limits.
- Fallback: If blank and Redis rate limiting is enabled, the backend falls back to
RQ_REDIS_URL.
TRUSTED_PROXIES
- Default: (blank)
- Purpose: Comma-separated list of trusted reverse-proxy IPs or CIDRs used to honor
Forwarded/X-Forwarded-Forclient IP headers. - Gotcha: Leave this blank unless the direct peer is a proxy you control.
FORGEJO_SYNC_ENABLED
- Default:
true - Purpose: Enables the scheduled RQ task that syncs all active Forgejo repository issue caches.
FORGEJO_SYNC_INTERVAL_SECONDS
- Default:
3600 - Purpose: Interval between scheduled Forgejo issue-cache sync runs.
FORGEJO_SYNC_STARTUP_DELAY_SECONDS
- Default:
60 - Purpose: Delay before the first scheduled Forgejo sync task is seeded after API startup.
Security response headers
These environment variables control security headers added to every API response. Set any variable to blank ("") to disable the corresponding header.
SECURITY_HEADER_X_CONTENT_TYPE_OPTIONS
- Default:
nosniff - Purpose: Prevents browsers from MIME-type sniffing responses.
SECURITY_HEADER_X_FRAME_OPTIONS
- Default:
DENY - Purpose: Prevents the API from being embedded in iframes.
- Note: If your deployment embeds the API in an iframe, set this to
SAMEORIGINor blank.
SECURITY_HEADER_REFERRER_POLICY
- Default:
strict-origin-when-cross-origin - Purpose: Controls how much referrer information is sent with requests.
SECURITY_HEADER_PERMISSIONS_POLICY
- Default: (blank — disabled)
- Purpose: Restricts browser features (camera, microphone, etc.) when set.