# Environment Variables
You can actually configure Psono with environment variables instead of config files.
- Server: Required
- Server: Recommended
- Server: Other
- PSONO_DEBUG
- PSONO_DISABLED
- PSONO_MAINTENANCE_ACTIVE
- PSONO_ALLOWED_HOSTS
- PSONO_ALLOW_REGISTRATION
- PSONO_ALLOW_LOST_PASSWORD
- PSONO_ENFORCE_MATCHING_USERNAME_AND_EMAIL
- PSONO_ALLOWED_SECOND_FACTORS
- PSONO_ALLOW_USER_SEARCH_BY_EMAIL
- PSONO_ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL
- PSONO_DUO_INTEGRATION_KEY
- PSONO_DUO_SECRET_KEY
- PSONO_DUO_API_HOSTNAME
- PSONO_DUO_PROXY_HOST
- PSONO_DUO_PROXY_PORT
- PSONO_DUO_PROXY_HEADERS
- PSONO_DUO_PROXY_TYPE
- PSONO_MULTIFACTOR_ENABLED
- PSONO_REGISTRATION_EMAIL_FILTER
- PSONO_MANAGEMENT_COMMAND_ACCESS_KEY
- PSONO_TRUSTED_IP_HEADER
- PSONO_NUM_PROXIES
- PSONO_THROTTLE_RATE_ANON
- PSONO_THROTTLE_RATE_LOGIN
- PSONO_THROTTLE_RATE_LINK_SHARE_SECRET
- PSONO_THROTTLE_RATE_PASSWORD
- PSONO_THROTTLE_RATE_USER
- PSONO_THROTTLE_RATE_HEALTH_CHECK
- PSONO_THROTTLE_RATE_STATUS_CHECK
- PSONO_THROTTLE_RATE_GA_VERIFY
- PSONO_THROTTLE_RATE_DUO_VERIFY
- PSONO_THROTTLE_RATE_YUBIKEY_OTP_VERIFY
- PSONO_THROTTLE_RATE_REGISTRATION
- PSONO_THROTTLE_RATE_USER_DELETE
- PSONO_THROTTLE_RATE_USER_UPDATE
- PSONO_THROTTLE_RATE_FILESERVER_ALIVE
- PSONO_THROTTLE_RATE_FILESERVER_UPLOAD
- PSONO_THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD
- PSONO_DATABASE_SLAVE_URL
- PSONO_DATABASES_DEFAULT_ENGINE
- PSONO_DATABASES_DEFAULT_NAME
- PSONO_DATABASES_DEFAULT_USER
- PSONO_DATABASES_DEFAULT_PASSWORD
- PSONO_DATABASES_DEFAULT_HOST
- PSONO_DATABASES_DEFAULT_PORT
- PSONO_EMAIL_FROM
- PSONO_EMAIL_HOST
- PSONO_EMAIL_HOST_USER
- PSONO_EMAIL_HOST_PASSWORD
- PSONO_EMAIL_PORT
- PSONO_EMAIL_SUBJECT_PREFIX
- PSONO_EMAIL_USE_TLS
- PSONO_EMAIL_USE_SSL
- PSONO_EMAIL_SSL_CERTFILE
- PSONO_EMAIL_SSL_KEYFILE
- PSONO_EMAIL_TIMEOUT
- PSONO_YUBIKEY_CLIENT_ID
- PSONO_YUBIKEY_SECRET_KEY
- PSONO_YUBICO_API_URLS
- PSONO_EMAIL_BACKEND
- PSONO_MAILGUN_API_URL
- PSONO_MAILGUN_ACCESS_KEY
- PSONO_MAILGUN_SERVER_NAME
- PSONO_MAILJET_API_KEY
- PSONO_MAILJET_SECRET_KEY
- PSONO_MAILJET_API_URL
- PSONO_MANDRILL_API_KEY
- PSONO_MANDRILL_API_URL
- PSONO_POSTMARK_SERVER_TOKEN
- PSONO_POSTMARK_API_URL
- PSONO_SENDGRID_API_KEY
- PSONO_SENDGRID_API_URL
- PSONO_BREVO_API_KEY
- PSONO_BREVO_API_URL
- PSONO_SPARKPOST_API_KEY
- PSONO_SPARKPOST_API_URL
- PSONO_IGNORE_UNSUPPORTED_FEATURES
- PSONO_AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID
- PSONO_AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY
- PSONO_AMAZON_SES_CLIENT_PARAMS_REGION_NAME
- PSONO_HEALTHCHECK_TIME_SYNC_ENABLED
- PSONO_CACHE_ENABLE
- PSONO_CACHE_DB
- PSONO_CACHE_REDIS
- PSONO_CACHE_REDIS_LOCATION
- PSONO_THROTTLING
- PSONO_DISABLE_LAST_PASSWORDS
- PSONO_MANAGEMENT_ENABLED
- PSONO_FILESERVER_HANDLER_ENABLED
- PSONO_FILES_ENABLED
- PSONO_ACTIVATION_LINK_TIME_VALID
- PSONO_DEFAULT_TOKEN_TIME_VALID
- PSONO_MAX_WEB_TOKEN_TIME_VALID
- PSONO_MAX_APP_TOKEN_TIME_VALID
- PSONO_MAX_API_KEY_TOKEN_TIME_VALID
- PSONO_RECOVERY_VERIFIER_TIME_VALID
- PSONO_REPLAY_PROTECTION_DISABLED
- PSONO_DEVICE_PROTECTION_DISABLED
- PSONO_REPLAY_PROTECTION_TIME_DFFERENCE
- PSONO_DISABLE_CALLBACKS
- PSONO_DISABLE_CENTRAL_SECURITY_REPORTS
- PSONO_ALLOWED_CALLBACK_URL_PREFIX
- PSONO_ALLOWED_FILE_REPOSITORY_TYPES
- PSONO_ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX
- PSONO_ALLOW_MULTIPLE_SESSIONS
- PSONO_AUTO_PROLONGATION_TOKEN_TIME_VALID
- PSONO_SECURE_PROXY_SSL_HEADER
- PSONO_TIME_SERVER
- PSONO_AUTHENTICATION_METHODS
- PSONO_SENTRY_DSN
- PSONO_SENTRY_ENVIRONMENT
- Server: UWSGI
- Server: Enterprise Edition only
- PSONO_LICENSE_CODE
- PSONO_COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS
- PSONO_COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL
- PSONO_COMPLIANCE_ENFORCE_2FA
- PSONO_COMPLIANCE_DISABLE_EXPORT
- PSONO_COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS
- PSONO_COMPLIANCE_DISABLE_UNMANAGED_GROUPS
- PSONO_COMPLIANCE_DISABLE_DELETE_ACCOUNT
- PSONO_COMPLIANCE_DISABLE_API_KEYS
- PSONO_COMPLIANCE_SERVER_SECRETS
- PSONO_COMPLIANCE_DISABLE_EMERGENCY_CODES
- PSONO_COMPLIANCE_DISABLE_RECOVERY_CODES
- PSONO_COMPLIANCE_DISABLE_FILE_REPOSITORIES
- PSONO_COMPLIANCE_DISABLE_LINK_SHARES
- PSONO_COMPLIANCE_DISABLE_OFFLINE_MODE
- PSONO_COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID
- PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH
- PSONO_COMPLIANCE_IP_RESTRICTIONS
- PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY
- PSONO_COMPLIANCE_CLIPBOARD_CLEAR_DELAY
- PSONO_COMPLIANCE_MIN_CLIPBOARD_CLEAR_DELAY
- PSONO_COMPLIANCE_MAX_CLIPBOARD_CLEAR_DELAY
- PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH
- PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE
- PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE
- PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS
- PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS
- PSONO_LDAPGATEWAY_TIMEOUT
- PSONO_LDAPGATEWAY_EXCLUSIVE_SECRETS
- PSONO_LDAPGATEWAY
- PSONO_LDAP
- PSONO_SAML_CONFIGURATIONS
- PSONO_OIDC_CONFIGURATIONS
- PSONO_LOGGING_AUDIT
- PSONO_LOGGING_AUDIT_WHITELIST
- PSONO_LOGGING_AUDIT_BLACKLIST
- PSONO_LOGGING_AUDIT_FOLDER
- PSONO_LOGGING_AUDIT_TIME
- PSONO_LOGSTASH_FORMATTER
- PSONO_LOGSTASH_MESSAGE_TYPE
- PSONO_LOGSTASH_EXTRA_PREFIX
- PSONO_SPLUNK_HOST
- PSONO_SPLUNK_PORT
- PSONO_SPLUNK_TOKEN
- PSONO_SPLUNK_INDEX
- PSONO_SPLUNK_VERIFY
- PSONO_SPLUNK_PROTOCOL
- PSONO_SPLUNK_SOURCETYPE
- PSONO_LOGSTASH_HANDLER
- PSONO_LOGSTASH_TRANSPORT
- PSONO_LOGSTASH_HOST
- PSONO_LOGSTASH_PORT
- PSONO_LOGSTASH_SSL_ENABLED
- PSONO_LOGSTASH_SSL_VERIFY
- PSONO_LOGSTASH_CA_CERTS
- PSONO_LOGSTASH_CERFILE
- PSONO_LOGSTASH_KEYFILE
- PSONO_LOGSTASH_DATABASE_PATH
- Client
- Portal
- Combo Images
# Server: Required
All these parameters need to be configured either through the settings.yaml
or as environment variable.
# PSONO_SECRET_KEY
*
Used to overwrite the SECRET_KEY
parameter of the settings.yaml
, e.g.
export PSONO_SECRET_KEY=jrgwvgCRPGJeOi9xcFIlfpVL09EZdIkrAJqQIUvTVtB3BO9gsuWi32Ie3VfKtaCk
WARNING
This parameter needs to be generated by ./psono/manage.py generateserverkeys
and may never change during the lifetime of a server.
# PSONO_PRIVATE_KEY
*
Used to overwrite the PRIVATE_KEY
parameter of the settings.yaml
, e.g.
export PSONO_PRIVATE_KEY=5476100ad30e22881bb71d96e5c3e02e3964ede13fbcaa3ff886c36a27f7e3fd
WARNING
This parameter needs to be generated together with the PUBLIC_KEY
by ./psono/manage.py generateserverkeys
and may never change during the lifetime of a server.
# PSONO_PUBLIC_KEY
*
Used to overwrite the PUBLIC_KEY
parameter of the settings.yaml
, e.g.
export PSONO_PUBLIC_KEY=141e1f988831ccbae4a43b20e6dbfc085be4b9b63902baa23d74f23e94301622
WARNING
This parameter needs to be generated together with the PRIVATE_KEY
by ./psono/manage.py generateserverkeys
and may never change during the lifetime of a server.
# PSONO_ACTIVATION_LINK_SECRET
*
Used to overwrite the ACTIVATION_LINK_SECRET
parameter of the settings.yaml
, which is used to generate the "activation links" whenever a user registers e.g.
export PSONO_ACTIVATION_LINK_SECRET=6kkvvTaPisiHMaLFHRPFjCztjByY8LINkxkhBHmj4FpIEk1kdY9aGIR7xulcs6ij
WARNING
This parameter needs to be generated by ./psono/manage.py generateserverkeys
# PSONO_DB_SECRET
*
Used to overwrite the DB_SECRET
parameter of the settings.yaml
, and is used to encrypt the data in the database e.g.
export PSONO_DB_SECRET=True
WARNING
This parameter needs to be generated by ./psono/manage.py generateserverkeys
and may never change during the lifetime of a server.
# PSONO_EMAIL_SECRET_SALT
*
Used to overwrite the EMAIL_SECRET_SALT
parameter of the settings.yaml
, and used to store a hash of the email address in the database to prevent duplicates e.g.
export PSONO_EMAIL_SECRET_SALT=True
WARNING
This parameter needs to be generated by ./psono/manage.py generateserverkeys
and may never change during the lifetime of a server.
# PSONO_HOST_URL
*
Used to overwrite the HOST_URL
parameter of the settings.yaml
, the url of the server itself e.g.
export PSONO_HOST_URL=https://psono.example.com/server
# PSONO_DATABASE_URL
*
Used to overwrite the DATABASE_URL
parameter of the settings.yaml
, and to connect the Psono server to your database e.g.
export PSONO_DATABASE_URL=postgres://myuser:mypassword@192.168.0.5:5432/mydatabase
or for unix domain socket paths
export PSONO_DATABASE_URL=postgres://%2Fvar%2Flib%2Fpostgresql/mydatabase
WARNING
If you want to specify the host, username and so on separately, you can do so with the optional database parameters listed below.
# Server: Recommended
# PSONO_WEB_CLIENT_URL
Used to overwrite the WEB_CLIENT_URL
parameter of the settings.yaml
, and to specify the location of the webclient e.g.
export PSONO_WEB_CLIENT_URL=https://psono.example.com
# PSONO_ALLOWED_DOMAINS
Used to overwrite the ALLOWED_DOMAINS
parameter of the settings.yaml
as a comma separated list of the domain that you allow as username suffix e.g.
export PSONO_ALLOWED_DOMAINS=example.com,something.else.com
# Server: Other
# PSONO_DEBUG
Used to overwrite the DEBUG
parameter of the settings.yaml
and enables the debug mode, e.g.
export PSONO_DEBUG=True
# PSONO_DISABLED
Used to overwrite the DISABLED
parameter of the settings.yaml
and disables the server, e.g.
export PSONO_DISABLED=True
# PSONO_MAINTENANCE_ACTIVE
Used to overwrite the MAINTENANCE_ACTIVE
parameter of the settings.yaml
and enables the maintenance mode, e.g.
export PSONO_MAINTENANCE_ACTIVE=True
# PSONO_ALLOWED_HOSTS
Used to overwrite the ALLOWED_HOSTS
parameter of the settings.yaml
as a comma separated list, e.g.
export PSONO_ALLOWED_HOSTS=a.example.com,something.else.com
# PSONO_ALLOW_REGISTRATION
Used to overwrite the ALLOW_REGISTRATION
parameter of the settings.yaml
, and to disable the registration e.g.
export PSONO_ALLOW_REGISTRATION=True
# PSONO_ALLOW_LOST_PASSWORD
Used to overwrite the ALLOW_LOST_PASSWORD
parameter of the settings.yaml
, and to disable the password recovery mechanism e.g.
export PSONO_ALLOW_LOST_PASSWORD=True
# PSONO_ENFORCE_MATCHING_USERNAME_AND_EMAIL
Used to overwrite the ENFORCE_MATCHING_USERNAME_AND_EMAIL
parameter of the settings.yaml
, and enforces matching username and emails e.g.
export PSONO_ENFORCE_MATCHING_USERNAME_AND_EMAIL=True
# PSONO_ALLOWED_SECOND_FACTORS
Used to overwrite the ALLOWED_SECOND_FACTORS
parameter of the settings.yaml
, and restricts the possible options for second factors e.g.
export PSONO_ALLOWED_SECOND_FACTORS=yubikey_otp,google_authenticator,duo
# PSONO_ALLOW_USER_SEARCH_BY_EMAIL
Used to overwrite the ALLOW_USER_SEARCH_BY_EMAIL
parameter of the settings.yaml
, and allows users to search other users by their email address e.g.
export PSONO_ALLOW_USER_SEARCH_BY_EMAIL=True
# PSONO_ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL
Used to overwrite the ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL
parameter of the settings.yaml
, and allows users to search other users by partial usernames e.g.
export PSONO_ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL=True
# PSONO_DUO_INTEGRATION_KEY
Used to overwrite the DUO_INTEGRATION_KEY
parameter of the settings.yaml
, the duo integration key e.g.
export PSONO_DUO_INTEGRATION_KEY=DI785965869BJHGKZ
# PSONO_DUO_SECRET_KEY
Used to overwrite the DUO_SECRET_KEY
parameter of the settings.yaml
, the duo secret key e.g.
export PSONO_DUO_SECRET_KEY=8ho7IZK7jioi7joi7glZBJKmhnz
# PSONO_DUO_API_HOSTNAME
Used to overwrite the DUO_API_HOSTNAME
parameter of the settings.yaml
, the duo api hostname e.g.
export PSONO_DUO_API_HOSTNAME=api-abcd1234.duosecurity.com
# PSONO_DUO_PROXY_HOST
Used to overwrite the DUO_PROXY_HOST
parameter of the settings.yaml
, the duo proxy host e.g.
export PSONO_DUO_PROXY_HOST=duoproxy.example.com
# PSONO_DUO_PROXY_PORT
Used to overwrite the DUO_PROXY_PORT
parameter of the settings.yaml
, the port of the duo proxy e.g.
export PSONO_DUO_PROXY_PORT=45612
# PSONO_DUO_PROXY_HEADERS
Used to overwrite the DUO_PROXY_HEADERS
parameter of the settings.yaml
, all headers for the duo proxy e.g.
export PSONO_DUO_PROXY_HEADERS=True
# PSONO_DUO_PROXY_TYPE
Used to overwrite the DUO_PROXY_TYPE
parameter of the settings.yaml
, the type of the proxy, by default CONNECT e.g.
export PSONO_DUO_PROXY_TYPE=CONNECT
# PSONO_MULTIFACTOR_ENABLED
Used to overwrite the MULTIFACTOR_ENABLED
parameter of the settings.yaml
, and to enforce multifactor (all second factors need to be solved) e.g.
export PSONO_MULTIFACTOR_ENABLED=True
# PSONO_REGISTRATION_EMAIL_FILTER
Used to overwrite the REGISTRATION_EMAIL_FILTER
parameter of the settings.yaml
, and to enforce that only certain email addresses can register separated by comma e.g.
export PSONO_REGISTRATION_EMAIL_FILTER=googlemail.com,gmail.com
# PSONO_MANAGEMENT_COMMAND_ACCESS_KEY
Used to overwrite the MANAGEMENT_COMMAND_ACCESS_KEY
parameter of the settings.yaml
, the authentication parameter for remote management commands e.g.
export PSONO_MANAGEMENT_COMMAND_ACCESS_KEY=kjzunI6789BJKNzbjnmnftbvhKJHUzjnk
# PSONO_TRUSTED_IP_HEADER
Used to overwrite the TRUSTED_IP_HEADER
parameter of the settings.yaml
, a parameter that if specified and passed through is trusted to contain the correct IP of the client e.g.
export PSONO_TRUSTED_IP_HEADER=HTTP_CF_CONNECTING_IP
# PSONO_NUM_PROXIES
Used to overwrite the NUM_PROXIES
parameter of the settings.yaml
, the amount of proxies in front of the server in order to parse the HTTP_X_FORWARDED_FOR header proper e.g.
export PSONO_NUM_PROXIES=3
# PSONO_THROTTLE_RATE_ANON
Used to overwrite the THROTTLE_RATE_ANON
parameter of the settings.yaml
, and to specify the throttle rate for anonymous access e.g.
export PSONO_THROTTLE_RATE_ANON=1440/day
# PSONO_THROTTLE_RATE_LOGIN
Used to overwrite the THROTTLE_RATE_LOGIN
parameter of the settings.yaml
, and to specify the throttle rate for login requests e.g.
export PSONO_THROTTLE_RATE_LOGIN=48/day
# PSONO_THROTTLE_RATE_LINK_SHARE_SECRET
Used to overwrite the THROTTLE_RATE_LINK_SHARE_SECRET
parameter of the settings.yaml
, and to specify the throttle rate for link share access e.g.
export PSONO_THROTTLE_RATE_LINK_SHARE_SECRET=60/hour
# PSONO_THROTTLE_RATE_PASSWORD
Used to overwrite the THROTTLE_RATE_PASSWORD
parameter of the settings.yaml
, and to specify the throttle rate for password resets e.g.
export PSONO_THROTTLE_RATE_PASSWORD=24/day
# PSONO_THROTTLE_RATE_USER
Used to overwrite the THROTTLE_RATE_USER
parameter of the settings.yaml
, and to specify the throttle rate for all general authenticated requests e.g.
export PSONO_THROTTLE_RATE_USER=86400/day
# PSONO_THROTTLE_RATE_HEALTH_CHECK
Used to overwrite the THROTTLE_RATE_HEALTH_CHECK
parameter of the settings.yaml
, and to specify the throttle rate for requests to the health check endpoint e.g.
export PSONO_THROTTLE_RATE_HEALTH_CHECK=61/hour
# PSONO_THROTTLE_RATE_STATUS_CHECK
Used to overwrite the THROTTLE_RATE_STATUS_CHECK
parameter of the settings.yaml
, and to specify the throttle rate for requests to the status endpoint e.g.
export PSONO_THROTTLE_RATE_STATUS_CHECK=6/minute
# PSONO_THROTTLE_RATE_GA_VERIFY
Used to overwrite the THROTTLE_RATE_GA_VERIFY
parameter of the settings.yaml
, and to specify the throttle rate how often a user can try to solve a Google Authenticator second factor challenge e.g.
export PSONO_THROTTLE_RATE_GA_VERIFY=6/minute
# PSONO_THROTTLE_RATE_DUO_VERIFY
Used to overwrite the THROTTLE_RATE_DUO_VERIFY
parameter of the settings.yaml
, and to specify the throttle rate how often a user can try to solve a DUO second factor challenge e.g.
export PSONO_THROTTLE_RATE_DUO_VERIFY=6/minute
# PSONO_THROTTLE_RATE_YUBIKEY_OTP_VERIFY
Used to overwrite the THROTTLE_RATE_YUBIKEY_OTP_VERIFY
parameter of the settings.yaml
, and to specify the throttle rate how often a user can try to solve a YubiKey second factor challenge e.g.
export PSONO_THROTTLE_RATE_YUBIKEY_OTP_VERIFY=6/minute
# PSONO_THROTTLE_RATE_REGISTRATION
Used to overwrite the THROTTLE_RATE_REGISTRATION
parameter of the settings.yaml
, and to specify how often someone can try to register e.g.
export PSONO_THROTTLE_RATE_REGISTRATION=20/day
# PSONO_THROTTLE_RATE_USER_DELETE
Used to overwrite the THROTTLE_RATE_USER_DELETE
parameter of the settings.yaml
, and to specify how often someone can try to delete his account e.g.
export PSONO_THROTTLE_RATE_USER_DELETE=20/day
# PSONO_THROTTLE_RATE_USER_UPDATE
Used to overwrite the THROTTLE_RATE_USER_UPDATE
parameter of the settings.yaml
, and to specify how often someone can try to update his account e.g.
export PSONO_THROTTLE_RATE_USER_UPDATE=20/day
# PSONO_THROTTLE_RATE_FILESERVER_ALIVE
Used to overwrite the THROTTLE_RATE_FILESERVER_ALIVE
parameter of the settings.yaml
, and to specify how often a fileserver can announce it being alive e.g.
export PSONO_THROTTLE_RATE_FILESERVER_ALIVE=61/minute
# PSONO_THROTTLE_RATE_FILESERVER_UPLOAD
Used to overwrite the THROTTLE_RATE_FILESERVER_UPLOAD
parameter of the settings.yaml
, and to specify how often a fileserver can announce fileuploads e.g.
export PSONO_THROTTLE_RATE_FILESERVER_UPLOAD=10000/minute
# PSONO_THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD
Used to overwrite the THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD
parameter of the settings.yaml
, and to specify how often a fileserver can announce fileuploads e.g.
export PSONO_THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD=10000/minute
# PSONO_DATABASE_SLAVE_URL
Used to overwrite the DATABASE_SLAVE_URL
parameter of the settings.yaml
, and to configure a postgres instance that will be used as read slave e.g.
export PSONO_DATABASE_SLAVE_URL=postgres://myuser:mypassword@192.168.0.6:5432/mydatabase
# PSONO_DATABASES_DEFAULT_ENGINE
Used to overwrite the DATABASES_DEFAULT_ENGINE
parameter of the settings.yaml
, and to specify a different database engine e.g.
export PSONO_DATABASES_DEFAULT_ENGINE=django.db.backends.postgresql_psycopg2
# PSONO_DATABASES_DEFAULT_NAME
Used to overwrite the DATABASES_DEFAULT_NAME
parameter of the settings.yaml
, and to specify a database name e.g.
export PSONO_DATABASES_DEFAULT_NAME=mypostgresdatabase
# PSONO_DATABASES_DEFAULT_USER
Used to overwrite the DATABASES_DEFAULT_USER
parameter of the settings.yaml
, and to specify the username used to connect to the database e.g.
export PSONO_DATABASES_DEFAULT_USER=mypostgresusername
# PSONO_DATABASES_DEFAULT_PASSWORD
Used to overwrite the DATABASES_DEFAULT_PASSWORD
parameter of the settings.yaml
, and to specify the password used to connect to the database e.g.
export PSONO_DATABASES_DEFAULT_PASSWORD=mypostgrespassword
# PSONO_DATABASES_DEFAULT_HOST
Used to overwrite the DATABASES_DEFAULT_HOST
parameter of the settings.yaml
, and to specify the host used to connect to the database e.g.
export PSONO_DATABASES_DEFAULT_HOST=192.168.10
# PSONO_DATABASES_DEFAULT_PORT
Used to overwrite the DATABASES_DEFAULT_PORT
parameter of the settings.yaml
, and to specify the port used to connect to the database e.g.
export PSONO_DATABASES_DEFAULT_PORT=5432
# PSONO_EMAIL_FROM
Used to overwrite the EMAIL_FROM
parameter of the settings.yaml
, and to specify the email address that is used to send emails e.g.
export PSONO_EMAIL_FROM=something@example.com
# PSONO_EMAIL_HOST
Used to overwrite the EMAIL_HOST
parameter of the settings.yaml
, and to configure the host used to connect to your email server e.g.
export PSONO_EMAIL_HOST=192.168.0.5
# PSONO_EMAIL_HOST_USER
Used to overwrite the EMAIL_HOST_USER
parameter of the settings.yaml
, and to configure the user used to connect to your email server e.g.
export PSONO_EMAIL_HOST_USER=myemailuser
# PSONO_EMAIL_HOST_PASSWORD
Used to overwrite the EMAIL_HOST_PASSWORD
parameter of the settings.yaml
, and to configure the password used to connect to your email server e.g.
export PSONO_EMAIL_HOST_PASSWORD=myemailpassword
# PSONO_EMAIL_PORT
Used to overwrite the EMAIL_PORT
parameter of the settings.yaml
, and to configure the port used to connect to your email server e.g.
export PSONO_EMAIL_PORT=25
# PSONO_EMAIL_SUBJECT_PREFIX
Used to overwrite the EMAIL_SUBJECT_PREFIX
parameter of the settings.yaml
, and to configure a certain suffix being shown in the subject of all emails e.g.
export PSONO_EMAIL_SUBJECT_PREFIX=True
# PSONO_EMAIL_USE_TLS
Used to overwrite the EMAIL_USE_TLS
parameter of the settings.yaml
, and to specify whether to use TLS or not e.g.
export PSONO_EMAIL_USE_TLS=True
TIP
EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive, so only set one of those settings to True.
# PSONO_EMAIL_USE_SSL
Used to overwrite the EMAIL_USE_SSL
parameter of the settings.yaml
, and to specify whether to use SSL or not e.g.
export PSONO_EMAIL_USE_SSL=True
TIP
EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive, so only set one of those settings to True.
# PSONO_EMAIL_SSL_CERTFILE
Used to overwrite the EMAIL_SSL_CERTFILE
parameter of the settings.yaml
, and to specify a path to a certificate file used to authenticate with your email host e.g.
export PSONO_EMAIL_SSL_CERTFILE=/etc/ssl/email.crt
# PSONO_EMAIL_SSL_KEYFILE
Used to overwrite the EMAIL_SSL_KEYFILE
parameter of the settings.yaml
, and to specify a path to a key used to authenticate with your email host e.g.
export PSONO_EMAIL_SSL_KEYFILE=/etc/ssl/email.key
# PSONO_EMAIL_TIMEOUT
Used to overwrite the EMAIL_TIMEOUT
parameter of the settings.yaml
, and to specify a timeout for requests to your email server e.g.
export PSONO_EMAIL_TIMEOUT=10
# PSONO_YUBIKEY_CLIENT_ID
Used to overwrite the YUBIKEY_CLIENT_ID
parameter of the settings.yaml
, and to configure the required Client ID for YubiKey verification which can be obtained here upgrade.yubico.com/getapikey/ (opens new window) e.g.
export PSONO_YUBIKEY_CLIENT_ID=121334
# PSONO_YUBIKEY_SECRET_KEY
Used to overwrite the YUBIKEY_SECRET_KEY
parameter of the settings.yaml
, and to configure the required secret key for YubiKey verification which can be obtained here upgrade.yubico.com/getapikey/ (opens new window) e.g.
export PSONO_YUBIKEY_SECRET_KEY=abcd
# PSONO_YUBICO_API_URLS
Used to overwrite the YUBICO_API_URLS
parameter of the settings.yaml
, and to specify urls to own yubico API servers, separated by a comma e.g.
export PSONO_YUBICO_API_URLS=https://yubico1.example.com,https://yubico2.example.com
# PSONO_EMAIL_BACKEND
Used to overwrite the EMAIL_BACKEND
parameter of the settings.yaml
, and to change the backend used for emails e.g.
export PSONO_EMAIL_BACKEND=django.core.mail.backends.smtp.EmailBackend
# PSONO_MAILGUN_API_URL
Used to overwrite the MAILGUN_API_URL
parameter of the settings.yaml
, and to specify the mailgun api url e.g.
export PSONO_MAILGUN_API_URL=https://api.eu.mailgun.net/v3
# PSONO_MAILGUN_ACCESS_KEY
Used to overwrite the MAILGUN_ACCESS_KEY
parameter of the settings.yaml
, and to specify the mailgun access key e.g.
export PSONO_MAILGUN_ACCESS_KEY=jkhhklbjkzuzbjkbjkz
# PSONO_MAILGUN_SERVER_NAME
Used to overwrite the MAILGUN_SERVER_NAME
parameter of the settings.yaml
, and to specify the mailgun server name e.g.
export PSONO_MAILGUN_SERVER_NAME=example.com
# PSONO_MAILJET_API_KEY
Used to overwrite the MAILJET_API_KEY
parameter of the settings.yaml
, and to specify the mailjet api key e.g.
export PSONO_MAILJET_API_KEY=Trhuklhuklhuklhkukhublue
# PSONO_MAILJET_SECRET_KEY
Used to overwrite the MAILJET_SECRET_KEY
parameter of the settings.yaml
, and to specify the mailjet api secret e.g.
export PSONO_MAILJET_SECRET_KEY=hfrgdtes3xwtdt4edh4tghdge
# PSONO_MAILJET_API_URL
Used to overwrite the MAILJET_API_URL
parameter of the settings.yaml
, and to specify the mailjet api url e.g.
export PSONO_MAILJET_API_URL=https://api.mailjet.com/v3
# PSONO_MANDRILL_API_KEY
Used to overwrite the MANDRILL_API_KEY
parameter of the settings.yaml
, and to specify the mandrill api key e.g.
export PSONO_MANDRILL_API_KEY=fdhbdfdfbdfbdfgfgd
# PSONO_MANDRILL_API_URL
Used to overwrite the MANDRILL_API_URL
parameter of the settings.yaml
, and to specify the mandrill api url e.g.
export PSONO_MANDRILL_API_URL=https://mandrillapp.com/api/1.0
# PSONO_POSTMARK_SERVER_TOKEN
Used to overwrite the POSTMARK_SERVER_TOKEN
parameter of the settings.yaml
, and to specify the postmark server token e.g.
export PSONO_POSTMARK_SERVER_TOKEN=fdhbdfdfbdfbdfgfgd
# PSONO_POSTMARK_API_URL
Used to overwrite the POSTMARK_API_URL
parameter of the settings.yaml
, and to specify the postmark api url e.g.
export PSONO_POSTMARK_API_URL=https://api.postmarkapp.com/
# PSONO_SENDGRID_API_KEY
Used to overwrite the SENDGRID_API_KEY
parameter of the settings.yaml
, and to specify the sendgrid api url e.g.
export PSONO_SENDGRID_API_KEY=fdhbdfdfbdfbdfgfgd
# PSONO_SENDGRID_API_URL
Used to overwrite the SENDGRID_API_URL
parameter of the settings.yaml
, and to specify the sendgrid api url e.g.
export PSONO_SENDGRID_API_URL=https://api.sendgrid.com/v3/
# PSONO_BREVO_API_KEY
Used to overwrite the BREVO_API_KEY
parameter of the settings.yaml
, and to specify the brevo api key e.g.
export PSONO_BREVO_API_KEY=fdhbdfdfbdfbdfgfgd
# PSONO_BREVO_API_URL
Used to overwrite the BREVO_API_URL
parameter of the settings.yaml
, and to specify the brevo api url e.g.
export PSONO_BREVO_API_URL=https://api.brevo.com/v3/
# PSONO_SPARKPOST_API_KEY
Used to overwrite the SPARKPOST_API_KEY
parameter of the settings.yaml
, and to specify the sparkpost api key e.g.
export PSONO_SPARKPOST_API_KEY=fdhbdfdfbdfbdfgfgd
# PSONO_SPARKPOST_API_URL
Used to overwrite the SPARKPOST_API_URL
parameter of the settings.yaml
, and to specify the sparkpost api url e.g.
export PSONO_SPARKPOST_API_URL=https://api.eu.sparkpost.com/api/v1
# PSONO_IGNORE_UNSUPPORTED_FEATURES
Used to overwrite the IGNORE_UNSUPPORTED_FEATURES
parameter of the settings.yaml
, and to ignore unsupported features in email delivery with certain providers e.g.
export PSONO_IGNORE_UNSUPPORTED_FEATURES=True
# PSONO_AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID
Used to overwrite the AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID
parameter of the settings.yaml
, and to configure the access key id for Amazon SES e.g.
export PSONO_AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID=dthdhtdhtsrgdsrgrg
# PSONO_AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY
Used to overwrite the AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY
parameter of the settings.yaml
, and to configure the secret access key for Amazon SES e.g.
export PSONO_AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY=dfdfhgdrgdrgrgddhrtg
# PSONO_AMAZON_SES_CLIENT_PARAMS_REGION_NAME
Used to overwrite the AMAZON_SES_CLIENT_PARAMS_REGION_NAME
parameter of the settings.yaml
, and to configure the region for Amazon SES e.g.
export PSONO_AMAZON_SES_CLIENT_PARAMS_REGION_NAME=us-west-2
# PSONO_HEALTHCHECK_TIME_SYNC_ENABLED
Used to overwrite the HEALTHCHECK_TIME_SYNC_ENABLED
parameter of the settings.yaml
, and to disable the healthcheck for the time sync e.g.
export PSONO_HEALTHCHECK_TIME_SYNC_ENABLED=False
# PSONO_CACHE_ENABLE
Used to overwrite the CACHE_ENABLE
parameter of the settings.yaml
, and to enable caching e.g.
export PSONO_CACHE_ENABLE=True
# PSONO_CACHE_DB
Used to overwrite the CACHE_DB
parameter of the settings.yaml
, and to specify the DB as central cache e.g.
export PSONO_CACHE_DB=True
# PSONO_CACHE_REDIS
Used to overwrite the CACHE_REDIS
parameter of the settings.yaml
, and to specify redis as central cache e.g.
export PSONO_CACHE_REDIS=True
# PSONO_CACHE_REDIS_LOCATION
Used to overwrite the CACHE_REDIS_LOCATION
parameter of the settings.yaml
, and to specify the redis host, port and database for caching e.g.
export PSONO_CACHE_REDIS_LOCATION=redis://localhost:6379/0
# PSONO_THROTTLING
Used to overwrite the THROTTLING
parameter of the settings.yaml
, and disables all rate limits e.g.
export PSONO_THROTTLING=False
# PSONO_DISABLE_LAST_PASSWORDS
Used to overwrite the DISABLE_LAST_PASSWORDS
parameter of the settings.yaml
, and to prevent the user from reusing the last X passwords e.g.
export PSONO_DISABLE_LAST_PASSWORDS=5
# PSONO_MANAGEMENT_ENABLED
Used to overwrite the MANAGEMENT_ENABLED
parameter of the settings.yaml
, and to enable the management API required for the portal e.g.
export PSONO_MANAGEMENT_ENABLED=True
# PSONO_FILESERVER_HANDLER_ENABLED
Used to overwrite the FILESERVER_HANDLER_ENABLED
parameter of the settings.yaml
, and to enable the fileserver API required for fileservers e.g.
export PSONO_FILESERVER_HANDLER_ENABLED=True
# PSONO_FILES_ENABLED
Used to overwrite the FILES_ENABLED
parameter of the settings.yaml
, and to disable the file upload e.g.
export PSONO_FILES_ENABLED=False
# PSONO_ACTIVATION_LINK_TIME_VALID
Used to overwrite the ACTIVATION_LINK_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that an activation link is valid before expiration e.g.
export PSONO_ACTIVATION_LINK_TIME_VALID=2592000
# PSONO_DEFAULT_TOKEN_TIME_VALID
Used to overwrite the DEFAULT_TOKEN_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that a session is valid before expiration e.g.
export PSONO_DEFAULT_TOKEN_TIME_VALID=86400
# PSONO_MAX_WEB_TOKEN_TIME_VALID
Used to overwrite the MAX_WEB_TOKEN_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that a session of a webclient is valid before expiration e.g.
export PSONO_MAX_WEB_TOKEN_TIME_VALID=2592000
# PSONO_MAX_APP_TOKEN_TIME_VALID
Used to overwrite the MAX_APP_TOKEN_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that a session of an app is valid before expiration e.g.
export PSONO_MAX_APP_TOKEN_TIME_VALID=31536000
# PSONO_MAX_API_KEY_TOKEN_TIME_VALID
Used to overwrite the MAX_API_KEY_TOKEN_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that a session of an API key is valid before expiration e.g.
export PSONO_MAX_API_KEY_TOKEN_TIME_VALID=600
# PSONO_RECOVERY_VERIFIER_TIME_VALID
Used to overwrite the RECOVERY_VERIFIER_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that a verification challenge needs to be solved before expiration e.g.
export PSONO_RECOVERY_VERIFIER_TIME_VALID=600
# PSONO_REPLAY_PROTECTION_DISABLED
Used to overwrite the REPLAY_PROTECTION_DISABLED
parameter of the settings.yaml
, and to disable the replay protection e.g.
export PSONO_REPLAY_PROTECTION_DISABLED=True
# PSONO_DEVICE_PROTECTION_DISABLED
Used to overwrite the DEVICE_PROTECTION_DISABLED
parameter of the settings.yaml
, and to disable the device protection e.g.
export PSONO_DEVICE_PROTECTION_DISABLED=True
# PSONO_REPLAY_PROTECTION_TIME_DFFERENCE
Used to overwrite the REPLAY_PROTECTION_TIME_DFFERENCE
parameter of the settings.yaml
, and to configure a time in seconds for time differences on the device e.g.
export PSONO_REPLAY_PROTECTION_TIME_DFFERENCE=True
# PSONO_DISABLE_CALLBACKS
Used to overwrite the DISABLE_CALLBACKS
parameter of the settings.yaml
, and to enable or disable callbacks e.g.
export PSONO_DISABLE_CALLBACKS=False
WARNING
The use of callbacks might allow attackers to execute a SSRF attack. Before you enable callbacks you should eather isolate
the system network wise or use ALLOWED_CALLBACK_URL_PREFIX
to whitelist possible targets for callbacks.
# PSONO_DISABLE_CENTRAL_SECURITY_REPORTS
Used to overwrite the DISABLE_CENTRAL_SECURITY_REPORTS
parameter of the settings.yaml
, and to disable central security reports e.g.
export PSONO_DISABLE_CENTRAL_SECURITY_REPORTS=True
# PSONO_ALLOWED_CALLBACK_URL_PREFIX
Used to overwrite the ALLOWED_CALLBACK_URL_PREFIX
parameter of the settings.yaml
, and to whitelist certain URL prefixes to receive callbacks e.g.
export PSONO_ALLOWED_CALLBACK_URL_PREFIX=https://example.com/path,http://test.example.com
# PSONO_ALLOWED_FILE_REPOSITORY_TYPES
Used to overwrite the ALLOWED_FILE_REPOSITORY_TYPES
parameter of the settings.yaml
, and to limit the allowed file repository providers e.g.
export ALLOWED_FILE_REPOSITORY_TYPES=azure_blob,gcp_cloud_storage,aws_s3,do_spaces,backblaze,other_s3
WARNING
The use "Other S3 Compatible" file repositories (other_s3
) you should use ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX
to limit the potential targets,
otherwise this may lead to the possibility of SSRF attacks.
# PSONO_ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX
Used to overwrite the ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX
parameter of the settings.yaml
, and to limit the target for "Other S3 compatible" file repositories e.g.
export ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX=https://s3.example.com/path,https://others3.example.com
# PSONO_ALLOW_MULTIPLE_SESSIONS
Used to overwrite the ALLOW_MULTIPLE_SESSIONS
parameter of the settings.yaml
, and to prevent multiple sessions e.g.
export PSONO_ALLOW_MULTIPLE_SESSIONS=False
# PSONO_AUTO_PROLONGATION_TOKEN_TIME_VALID
Used to overwrite the AUTO_PROLONGATION_TOKEN_TIME_VALID
parameter of the settings.yaml
, and configure the time that a session is prolonged upon activity in seconds, so 900 for 15 minutes e.g.
export PSONO_AUTO_PROLONGATION_TOKEN_TIME_VALID=900
# PSONO_SECURE_PROXY_SSL_HEADER
Used to overwrite the SECURE_PROXY_SSL_HEADER
parameter of the settings.yaml
, and to specify Django's SECURE_PROXY_SSL_HEADER
e.g.
export PSONO_SECURE_PROXY_SSL_HEADER=HTTP_X_FORWARDED_PROTO,https
More infos can be found here docs.djangoproject.com/en/3.2/ref/settings/ (opens new window)
# PSONO_TIME_SERVER
Used to overwrite the TIME_SERVER
parameter of the settings.yaml
, and to configure an own timeserver that should be userd for the time health check e.g.
export PSONO_TIME_SERVER=time.example.com
# PSONO_AUTHENTICATION_METHODS
Used to overwrite the AUTHENTICATION_METHODS
parameter of the settings.yaml
, and to specify the list of allowed authetnication methods separated by a comma e.g.
export PSONO_AUTHENTICATION_METHODS=LDAP,SAML,AUTHKEY,OIDC
# PSONO_SENTRY_DSN
Used to overwrite the SENTRY_DSN
parameter of the settings.yaml
, and to configure the DSN parameter of sentry e.g.
export PSONO_SENTRY_DSN=https://...
# PSONO_SENTRY_ENVIRONMENT
Used to overwrite the SENTRY_ENVIRONMENT
parameter of the settings.yaml
, and to configure the DSN parameter of sentry e.g.
export PSONO_SENTRY_ENVIRONMENT=production
# Server: UWSGI
Psono's server component is a python application that runs with UWSGI which can be configured if necessary.
# UWSGI_PORT
Used to specify the UWSGI port, by default 80 e.g.
export UWSGI_PORT=80
# UWSGI_PROCESSES
Used to specify the amount of processes that UWSGI spawns to handle requests. A smaller amount can be favorable if you have less resources or a higher amount if you have more than 4 cores. By default 10. Rule of thumb: 2 x #cores + 2 e.g.
export UWSGI_PROCESSES=10
# UWSGI_BUFFER_SIZE
Used to specify the buffer size of UWSGI, by default 8192 bytes e.g.
export UWSGI_BUFFER_SIZE=8192
# Server: Enterprise Edition only
There are certain environment variables that only work with the enterprise edition server.
# PSONO_LICENSE_CODE
Used to overwrite the LICENSE_CODE
parameter of the settings.yaml
, and to configure a license code to prevent the server from trying to connect to the license server e.g.
export PSONO_LICENSE_CODE=jkhzzjzgkghjbztktbjhtgvhzjfzjgfzjkzbjkzbjkzbjkkgzjgzjk
# PSONO_COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS
Used to overwrite the COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS
parameter of the settings.yaml
, and to prevent central security reports e.g.
export PSONO_COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS=False
# PSONO_COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL
Used to overwrite the COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL
parameter of the settings.yaml
, and to specify the recurrence interval in seconds for security reports. 0 disables it. e.g.
export PSONO_COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL=2592000
# PSONO_COMPLIANCE_ENFORCE_2FA
Used to overwrite the COMPLIANCE_ENFORCE_2FA
parameter of the settings.yaml
, and to enforce second factors e.g.
export PSONO_COMPLIANCE_ENFORCE_2FA=True
# PSONO_COMPLIANCE_DISABLE_EXPORT
Used to overwrite the COMPLIANCE_DISABLE_EXPORT
parameter of the settings.yaml
, and to disable the export feature e.g.
export PSONO_COMPLIANCE_DISABLE_EXPORT=True
# PSONO_COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS
Used to overwrite the COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS
parameter of the settings.yaml
, and to disable the export of shared items e.g.
export PSONO_COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS=True
# PSONO_COMPLIANCE_DISABLE_UNMANAGED_GROUPS
Used to overwrite the COMPLIANCE_DISABLE_UNMANAGED_GROUPS
parameter of the settings.yaml
, and to disable unmanaged
groups, so normal users cannot create groups anymore e.g.
export PSONO_COMPLIANCE_DISABLE_UNMANAGED_GROUPS=True
# PSONO_COMPLIANCE_DISABLE_DELETE_ACCOUNT
Used to overwrite the COMPLIANCE_DISABLE_DELETE_ACCOUNT
parameter of the settings.yaml
, and to disable the delete account option e.g.
export PSONO_COMPLIANCE_DISABLE_DELETE_ACCOUNT=True
# PSONO_COMPLIANCE_DISABLE_API_KEYS
Used to overwrite the COMPLIANCE_DISABLE_API_KEYS
parameter of the settings.yaml
, and to disable API keys e.g.
export PSONO_COMPLIANCE_DISABLE_API_KEYS=True
# PSONO_COMPLIANCE_SERVER_SECRETS
Used to overwrite the COMPLIANCE_SERVER_SECRETS
parameter of the settings.yaml
. The server will by default keep for SAML / OIDC / LDAP users a backup of the user's keys and as such not ask the user for
encryption password during login, while the server won't know / store those keys for regular AUTHKEY users (COMPLIANCE_SERVER_SECRETS: 'auto'
).
You may want to change this behavior and potentially force users to use a separate encryption password (COMPLIANCE_SERVER_SECRETS: 'noone'
, most secure but no way to regain access to an account if a user loses his encryption password)
or force even AUTHKEY users to hand over their keys to the server (COMPLIANCE_SERVER_SECRETS: 'all'
, least secure, but allows admins to set a new password for a user if he loses his password) e.g.
export PSONO_COMPLIANCE_SERVER_SECRETS=noone
# PSONO_COMPLIANCE_DISABLE_EMERGENCY_CODES
Used to overwrite the COMPLIANCE_DISABLE_EMERGENCY_CODES
parameter of the settings.yaml
, and to disable emergency codes e.g.
export PSONO_COMPLIANCE_DISABLE_EMERGENCY_CODES=True
# PSONO_COMPLIANCE_DISABLE_RECOVERY_CODES
Used to overwrite the COMPLIANCE_DISABLE_RECOVERY_CODES
parameter of the settings.yaml
, and to disable recovery codes e.g.
export PSONO_COMPLIANCE_DISABLE_RECOVERY_CODES=True
# PSONO_COMPLIANCE_DISABLE_FILE_REPOSITORIES
Used to overwrite the COMPLIANCE_DISABLE_FILE_REPOSITORIES
parameter of the settings.yaml
, and to disable file repositories e.g.
export PSONO_COMPLIANCE_DISABLE_FILE_REPOSITORIES=True
# PSONO_COMPLIANCE_DISABLE_LINK_SHARES
Used to overwrite the COMPLIANCE_DISABLE_LINK_SHARES
parameter of the settings.yaml
, and to disable link shares e.g.
export PSONO_COMPLIANCE_DISABLE_LINK_SHARES=True
# PSONO_COMPLIANCE_DISABLE_OFFLINE_MODE
Used to overwrite the COMPLIANCE_DISABLE_OFFLINE_MODE
parameter of the settings.yaml
, and to prevent offline mode e.g.
export PSONO_COMPLIANCE_DISABLE_OFFLINE_MODE=True
# PSONO_COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID
Used to overwrite the COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID
parameter of the settings.yaml
, and to restrict how long an offline cache can be used e.g.
export PSONO_COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID=31536000
# PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH
Used to overwrite the COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH
parameter of the settings.yaml
, and to specify a minimal master password length e.g.
export PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH=14
# PSONO_COMPLIANCE_IP_RESTRICTIONS
Used to overwrite the COMPLIANCE_IP_RESTRICTIONS
parameter of the settings.yaml
, and to restrict usage (webclient, apps, portal, API keys) of Psono to certain IP ranges.
Specifically excluded are link shares and all API endpoints for the fileserver, SCIM and remote management commands.
export PSONO_COMPLIANCE_IP_RESTRICTIONS=10.5.0.0/24,10.4.0.0/16
# PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY
Used to overwrite the COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY
parameter of the settings.yaml
, and to enforce a minimal password complexity e.g.
export PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY=3
# PSONO_COMPLIANCE_CLIPBOARD_CLEAR_DELAY
Used to overwrite the COMPLIANCE_CLIPBOARD_CLEAR_DELAY
parameter of the settings.yaml
, and to set another default for the clipboard clear delay in second (a value of 0 disables automatic clipboard clearing) e.g.
export PSONO_COMPLIANCE_CLIPBOARD_CLEAR_DELAY=30
# PSONO_COMPLIANCE_MIN_CLIPBOARD_CLEAR_DELAY
Used to overwrite the COMPLIANCE_MIN_CLIPBOARD_CLEAR_DELAY
parameter of the settings.yaml
, and to set another minimum for the clipboard clear delay in second e.g.
export PSONO_COMPLIANCE_MIN_CLIPBOARD_CLEAR_DELAY=0
# PSONO_COMPLIANCE_MAX_CLIPBOARD_CLEAR_DELAY
Used to overwrite the COMPLIANCE_MAX_CLIPBOARD_CLEAR_DELAY
parameter of the settings.yaml
, and to set another maximum for the clipboard clear delay in second e.g.
export PSONO_COMPLIANCE_MAX_CLIPBOARD_CLEAR_DELAY=600
# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH
Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH
parameter of the settings.yaml
, and to configure the default length for passwords generated by the password generator e.g.
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH=16
# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE
Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE
parameter of the settings.yaml
, and to configure the default set of uppercase letters for passwords generated by the password generator e.g.
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE=ABCDEFGHIJKLMNOPQRSTUVWXYZ
# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE
Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE
parameter of the settings.yaml
, and to configure the default set of lowercase letters for passwords generated by the password generator e.g.
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE=abcdefghijklmnopqrstuvwxyz
# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS
Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS
parameter of the settings.yaml
, and to configure the default set of numbers for passwords generated by the password generator e.g.
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS=0123456789
# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS
Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS
parameter of the settings.yaml
, and to configure the default set of special characters for passwords generated by the password generator e.g.
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS=,.-:_
# PSONO_LDAPGATEWAY_TIMEOUT
Used to overwrite the LDAPGATEWAY_TIMEOUT
parameter of the settings.yaml
, and to configure the timeout in seconds for LDAP gateway requests e.g.
export PSONO_LDAPGATEWAY_TIMEOUT=10
# PSONO_LDAPGATEWAY_EXCLUSIVE_SECRETS
Used to overwrite the LDAPGATEWAY_EXCLUSIVE_SECRETS
parameter of the settings.yaml
, and to specify that the LDAP gateway should handle all user secrets exclusively e.g.
export PSONO_LDAPGATEWAY_EXCLUSIVE_SECRETS=True
# PSONO_LDAPGATEWAY
Used to overwrite the LDAPGATEWAY
parameter of the settings.yaml
, and to configure the connection to a LDAP gateway e.g.
export PSONO_LDAPGATEWAY=[...]
With [...]
being the json representation of the LDAPGATEWAY yaml, e.g.
[
{
"CLIENT_ID": "3073da7d-5925-4142-a50b-f0478d7ee4aa",
"CLIENT_PRIVATE_KEY": "5476100ad30e22881bb71d96e5c3e02e3964ede13fbcaa3ff886c36a27f7e3fd",
"SERVER_PUBLIC_KEY": "141e1f988831ccbae4a43b20e6dbfc085be4b9b63902baa23d74f23e94301622",
"SERVER_URL": "https://ldapgateway.example.com",
"SSL_VERIFY": true
}
]
TIP
Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json
# PSONO_LDAP
Used to overwrite the LDAP
parameter of the settings.yaml
, and to configure the connection to an LDAP server e.g.
export PSONO_LDAP=[...]
With [...]
being the json representation of the LDAP yaml, e.g.
[
{
"LDAP_URL": "ldap://ldap.example.com:389",
"LDAP_DOMAIN": "example.com",
"LDAP_BIND_DN": "CN=LDAPPsono,OU=UsersTech,OU=example.com,DC=example,DC=com",
"LDAP_BIND_PASS": "a_password",
"LDAP_SEARCH_USER_DN": "OU=Users,OU=example.com,DC=example,DC=com",
"LDAP_SEARCH_GROUP_DN": "OU=example.com,DC=example,DC=com",
"LDAP_ATTR_EMAIL": "mail"
}
]
TIP
Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json
# PSONO_SAML_CONFIGURATIONS
Used to overwrite the SAML_CONFIGURATIONS
parameter of the settings.yaml
, and to configure the connection to a SAML IDP e.g.
export PSONO_SAML_CONFIGURATIONS={...}
With {...}
being the json representation of the SAML_CONFIGURATIONS yaml, e.g.
{
"1": {
"idp": {
"entityId": "http://saml.example.com:8080/simplesaml/saml2/idp/metadata.php",
"singleLogoutService": {
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"url": "http://saml.example.com:8080/simplesaml/saml2/idp/SingleLogoutService.php"
},
"singleSignOnService": {
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"url": "http://saml.example.com:8080/simplesaml/saml2/idp/SSOService.php"
},
"x509cert": "MIIDXTCCA...==",
"groups_attribute": "eduPersonAffiliation",
"username_attribute": "email",
"email_attribute": "email",
"username_domain": "example.com",
"required_group": [
"group1"
],
"is_adfs": false,
"honor_multifactors": true,
"max_session_lifetime": 86400
},
"sp": {
"NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"assertionConsumerService": {
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
},
"attributeConsumingService": {
"requestedAttributes": [
{
"attributeValue": [],
"friendlyName": "",
"isRequired": false,
"name": "asdf",
"nameFormat": ""
}
],
"serviceDescription": "Test Service",
"serviceName": "SP test"
},
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\n.\n.\n.\n-----END RSA PRIVATE KEY-----\n",
"singleLogoutService": {
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"user_default_active": false,
"autoprovision_psono_folder": false,
"autoprovision_psono_group": false,
"x509cert": "-----BEGIN CERTIFICATE-----\n.\n.\n.\n-----END CERTIFICATE-----\n"
},
"strict": true
}
}
TIP
Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json
# PSONO_OIDC_CONFIGURATIONS
Used to overwrite the OIDC_CONFIGURATIONS
parameter of the settings.yaml
, and to configure the connection to an OIDC provider e.g.
export PSONO_OIDC_CONFIGURATIONS=True
With {...}
being the json representation of the OIDC_CONFIGURATIONS yaml, e.g.
{
"1": {
"OIDC_RP_SIGN_ALGO": "RS256",
"OIDC_RP_CLIENT_ID": "2564ebf9-3c1e-43e6-8ba9-e553d80f1000",
"OIDC_RP_CLIENT_SECRET": "b176052a-bc24-408a-94fe-163750dca482",
"OIDC_OP_JWKS_ENDPOINT": "http://oidc.example.com:8585/jwks",
"OIDC_OP_AUTHORIZATION_ENDPOINT": "http://oidc.example.com:8585/authorize",
"OIDC_OP_TOKEN_ENDPOINT": "http://oidc.example.com:8585/token",
"OIDC_OP_USER_ENDPOINT": "http://oidc.example.com:8585/userinfo",
"OIDC_OP_ENDSESSION_ENDPOINT": "http://oidc.example.com:8585/end-session",
"OIDC_ALLOWED_REDIRECT_URLS": [
"https://psono.example.com/"
],
"OIDC_GROUPS_ATTRIBUTE_DICT_GROUP_ID": "groupId"
}
}
TIP
Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json
# PSONO_LOGGING_AUDIT
Used to overwrite the LOGGING_AUDIT
parameter of the settings.yaml
, and to enable audit logging e.g.
export PSONO_LOGGING_AUDIT=True
# PSONO_LOGGING_AUDIT_WHITELIST
Used to overwrite the LOGGING_AUDIT_WHITELIST
parameter of the settings.yaml
, and to whitelist only certain events to be logged, separated by a comma e.g.
export PSONO_LOGGING_AUDIT_WHITELIST=API_KEY_LOGIN_ERROR,SAML_LOGIN_ERROR,SAML_INITIATE_LOGIN_ERROR,SAML_LOGIN_ERROR,OIDC_INITIATE_LOGIN_ERROR
# PSONO_LOGGING_AUDIT_BLACKLIST
Used to overwrite the LOGGING_AUDIT_BLACKLIST
parameter of the settings.yaml
, and to blacklist certain events so they are not logged, separated by a comma e.g.
export PSONO_LOGGING_AUDIT_BLACKLIST=CHECK_HEALTH_SUCCESS,READ_STATUS_SUCCESS
# PSONO_LOGGING_AUDIT_FOLDER
Used to overwrite the LOGGING_AUDIT_FOLDER
parameter of the settings.yaml
, and used to configure the directory for the audit log files e.g.
export PSONO_LOGGING_AUDIT_FOLDER=/var/log/psono
# PSONO_LOGGING_AUDIT_TIME
Used to overwrite the LOGGING_AUDIT_TIME
parameter of the settings.yaml
, and used to configure a different timezone for the logging. Either UTC (value time_utc
) or your server time (value time_server
) e.g.
export PSONO_LOGGING_AUDIT_TIME=time_utc
# PSONO_LOGSTASH_FORMATTER
Used to overwrite the LOGSTASH_FORMATTER
parameter of the settings.yaml
, and to specify a different formatter e.g.
export PSONO_LOGSTASH_FORMATTER=logstash_async.formatter.DjangoLogstashFormatter
# PSONO_LOGSTASH_MESSAGE_TYPE
Used to overwrite the LOGSTASH_MESSAGE_TYPE
parameter of the settings.yaml
, and to specify a different message type e.g.
export PSONO_LOGSTASH_MESSAGE_TYPE=psono:auditLog
# PSONO_LOGSTASH_EXTRA_PREFIX
Used to overwrite the LOGSTASH_EXTRA_PREFIX
parameter of the settings.yaml
, and to specify a certain prefix e.g.
export PSONO_LOGSTASH_EXTRA_PREFIX=something_
# PSONO_SPLUNK_HOST
Used to overwrite the SPLUNK_HOST
parameter of the settings.yaml
, and to specify the host of your Splunk Receiver e.g.
export PSONO_SPLUNK_HOST=splunk.example.com
# PSONO_SPLUNK_PORT
Used to overwrite the SPLUNK_PORT
parameter of the settings.yaml
, and to specify the host of your Splunk Receiver e.g.
export PSONO_SPLUNK_PORT=1234
# PSONO_SPLUNK_TOKEN
Used to overwrite the SPLUNK_TOKEN
parameter of the settings.yaml
, and to specify the generated token of your Splunk Receiver e.g.
export PSONO_SPLUNK_TOKEN=True
# PSONO_SPLUNK_INDEX
Used to overwrite the SPLUNK_INDEX
parameter of the settings.yaml
, and to specify the Splunk index that should be used e.g.
export PSONO_SPLUNK_INDEX=whatever
# PSONO_SPLUNK_VERIFY
Used to overwrite the SPLUNK_VERIFY
parameter of the settings.yaml
, and used to disable SSL verification for your Splunk transport e.g.
export PSONO_SPLUNK_VERIFY=False
# PSONO_SPLUNK_PROTOCOL
Used to overwrite the SPLUNK_PROTOCOL
parameter of the settings.yaml
, and to specify the splunk transport mmechanism e.g.
export PSONO_SPLUNK_PROTOCOL=https
# PSONO_SPLUNK_SOURCETYPE
Used to overwrite the SPLUNK_SOURCETYPE
parameter of the settings.yaml
, and to specify the source type of the entries in Splunk e.g.
export PSONO_SPLUNK_SOURCETYPE=psono:auditLog
# PSONO_LOGSTASH_HANDLER
Used to overwrite the LOGSTASH_HANDLER
parameter of the settings.yaml
, and to configure a different handler class e.g.
export PSONO_LOGSTASH_HANDLER=logstash_async.handler.SynchronousLogstashHandler
# PSONO_LOGSTASH_TRANSPORT
Used to overwrite the LOGSTASH_TRANSPORT
parameter of the settings.yaml
, and used to specify a different transport mechanism e.g.
export PSONO_LOGSTASH_TRANSPORT=logstash_async.transport.TcpTransport
# PSONO_LOGSTASH_HOST
Used to overwrite the LOGSTASH_HOST
parameter of the settings.yaml
, and to specify the the logstash host e.g.
export PSONO_LOGSTASH_HOST=logstash.example.com
# PSONO_LOGSTASH_PORT
Used to overwrite the LOGSTASH_PORT
parameter of the settings.yaml
, and to specify the the logstash port e.g.
export PSONO_LOGSTASH_PORT=5959
# PSONO_LOGSTASH_SSL_ENABLED
Used to overwrite the LOGSTASH_SSL_ENABLED
parameter of the settings.yaml
, and to specify whether one wants to use SSL or not e.g.
export PSONO_LOGSTASH_SSL_ENABLED=True
# PSONO_LOGSTASH_SSL_VERIFY
Used to overwrite the LOGSTASH_SSL_VERIFY
parameter of the settings.yaml
, and to specify whether to verify the certificate or not e.g.
export PSONO_LOGSTASH_SSL_VERIFY=True
# PSONO_LOGSTASH_CA_CERTS
Used to overwrite the LOGSTASH_CA_CERTS
parameter of the settings.yaml
, and to specify the path to a file containing the custom CAs e.g.
export PSONO_LOGSTASH_CA_CERTS=/etc/ssl/custom.ca
# PSONO_LOGSTASH_CERFILE
Used to overwrite the LOGSTASH_CERFILE
parameter of the settings.yaml
, and to specify the path to an own cert file e.g.
export PSONO_LOGSTASH_CERFILE=/etc/ssl/logstash.cert
# PSONO_LOGSTASH_KEYFILE
Used to overwrite the LOGSTASH_KEYFILE
parameter of the settings.yaml
, and to specify the path to an own key file e.g.
export PSONO_LOGSTASH_KEYFILE=/etc/ssl/logstash.key
# PSONO_LOGSTASH_DATABASE_PATH
Used to overwrite the LOGSTASH_DATABASE_PATH
parameter of the settings.yaml
, and to configure a custom path for the database e.g.
export PSONO_LOGSTASH_DATABASE_PATH=/logstash/database/
# Client
You can configure the client with the following parameter.
# PSONO_WEBCLIENT_CONFIG_JSON
Used to overwrite the config.json
, e.g.
export PSONO_WEBCLIENT_CONFIG_JSON={...}
With {...}
being the config.json
e.g.
{
"backend_servers": [{
"title": "Psono.pw"
}],
"allow_custom_server": true,
"allow_registration": true,
"allow_lost_password": true,
"authentication_methods": ["AUTHKEY", "LDAP"],
"more_links": [{
"href": "https://doc.psono.com/",
"title": "DOCUMENTATION",
"class": "fa-book"
},{
"href": "privacy-policy.html",
"title": "PRIVACY_POLICY",
"class": "fa-user-secret"
},{
"href": "https://www.psono.com",
"title": "ABOUT_US",
"class": "fa-info-circle"
}]
}
# Portal
You can configure the portal with the following parameter.
# PSONO_PORTAL_CONFIG_JSON
Used to overwrite the config.json
, e.g.
export PSONO_PORTAL_CONFIG_JSON={...}
With {...}
being the config.json
e.g.
{
"backend_servers": [{
"title": "Psono.pw"
}],
"allow_custom_server": true,
"allow_registration": true,
"allow_lost_password": true,
"authentication_methods": ["AUTHKEY", "LDAP"],
"more_links": [{
"href": "https://doc.psono.com/",
"title": "DOCUMENTATION",
"class": "fa-book"
},{
"href": "privacy-policy.html",
"title": "PRIVACY_POLICY",
"class": "fa-user-secret"
},{
"href": "https://www.psono.com",
"title": "ABOUT_US",
"class": "fa-info-circle"
}]
}
# Combo Images
Psono combo images come with an nginx, that glues the bundled server, client and portal together. You can use the following parameters to configure the nginx.
# NGINX_WORKER_PROCESSES
Used to configure nginx' worker_processes
parameter, defaults to 1
.
export NGINX_WORKER_PROCESSES=1
# NGINX_STRICT_TRANSPORT_SECURITY
Used to configure nginx' add_header Strict-Transport-Security
parameter, defaults to not being specified.
export NGINX_STRICT_TRANSPORT_SECURITY='"max-age=31536000; includeSubDomains" always;'
# NGINX_HEADER_REFERRER_POLICY
Used to configure nginx' add_header Referrer-Policy
parameter, defaults to same-origin
.
export NGINX_HEADER_REFERRER_POLICY=same-origin
# NGINX_HEADER_X_FRAME_OPTIONS
Used to configure nginx' add_header X-Frame-Options
parameter, defaults to DENY
.
export NGINX_HEADER_X_FRAME_OPTIONS=DENY
# NGINX_HEADER_X_CONTENT_TYPE_OPTIONS
Used to configure nginx' add_header X-Content-Type-Options
parameter, defaults to nosniff
.
export NGINX_HEADER_X_CONTENT_TYPE_OPTIONS=nosniff
# NGINX_HEADER_X_XSS_PROTECTION
Used to configure nginx' add_header X-XSS-Protection
parameter, defaults to "1; mode=block"
.
export NGINX_HEADER_X_XSS_PROTECTION='"1; mode=block"'
# NGINX_HEADER_CONTENT_SECURITY_POLICY
Used to configure nginx' add_header Content-Security-Policy
parameter, defaults to "default-src none; manifest-src self; connect-src self https://static.psono.com https://keyserver.ubuntu.com https://storage.googleapis.com https://*.blob.core.windows.net https://*.s3.amazonaws.com https://*.digitaloceanspaces.com https://api.pwnedpasswords.com https://sentry.io; font-src self; img-src self www.google-analytics.com data:; script-src self www.google-analytics.com; style-src self unsafe-inline; object-src self; child-src self; form-action self"
.
export NGINX_HEADER_CONTENT_SECURITY_POLICY='"default-src \'none\'; manifest-src \'self\'; connect-src \'self\' https://static.psono.com https://keyserver.ubuntu.com https://storage.googleapis.com https://*.blob.core.windows.net https://*.s3.amazonaws.com https://*.digitaloceanspaces.com https://api.pwnedpasswords.com https://sentry.io; font-src \'self\'; img-src \'self\' www.google-analytics.com data:; script-src \'self\' www.google-analytics.com; style-src \'self\' \'unsafe-inline\'; object-src \'self\'; child-src \'self\'; form-action \'self\'"'