PhotoPrism® Pro includes the following additional config options, as well as more secure default settings to protect your instance by blocking vulnerability scanners and preventing the exploitation of newly discovered issues:
| Environment | CLI Flag | Default | Description |
|---|---|---|---|
| PHOTOPRISM_DISABLE_STS | --disable-sts | disable HTTP Strict-Transport-Security (STS) header pro | |
| PHOTOPRISM_STS_SECONDS | --sts-seconds | 31536000 | TIME for the browser to remember that the site is to be accessed only via HTTPS (0 to disable) pro |
| PHOTOPRISM_STS_SUBDOMAINS | --sts-subdomains | rule applies to all subdomains as well pro | |
| PHOTOPRISM_STS_PRELOAD | --sts-preload | submit to Google's HSTS preload service pro | |
| PHOTOPRISM_REQUEST_LIMIT | --request-limit | 500 | maximum number of concurrent HTTP REQUESTS allowed from a single IP pro |
| PHOTOPRISM_REQUEST_INTERVAL | --request-interval | 5ms | average DURATION between HTTP requests from a single IP (0-1000ms) pro |
| PHOTOPRISM_LOGIN_LIMIT | --login-limit | 10 | maximum number of consecutive failed LOGIN ATTEMPTS from a single IP pro |
| PHOTOPRISM_LOGIN_INTERVAL | --login-interval | 1m0s | average DURATION between failed LOGIN attempts from a single IP (0-86400s) pro |
| PHOTOPRISM_IPS_LIMIT | --ips-limit | 3 | maximum number of malicious request ATTEMPTS before a client IP is blocked (-1 to disable) pro |
| PHOTOPRISM_IPS_INTERVAL | --ips-interval | 1h0m0s | average DURATION between malicious request attempts from a single IP (0-86400s) pro |
| PHOTOPRISM_HTTP_CSP | --http-csp | HTTP Content-Security-Policy (CSP) HEADER pro |
|
| PHOTOPRISM_HTTP_CTO | --http-cto | nosniff | HTTP X-Content-Type-Options HEADER pro |
| PHOTOPRISM_HTTP_COOP | --http-coop | same-origin | HTTP Cross-Origin-Opener-Policy (COOP) HEADER pro |
| PHOTOPRISM_HTTP_REFERRER_POLICY | --http-referrer-policy | same-origin | HTTP Referrer-Policy HEADER pro |
| PHOTOPRISM_HTTP_FRAME_OPTIONS | --http-frame-options | DENY | HTTP X-Frame-Options HEADER pro |
| PHOTOPRISM_HTTP_XSS_PROTECTION | --http-xss-protection | 1; mode=block | HTTP X-XSS-Protection HEADER pro |
| PHOTOPRISM_HTTP_HOSTNAME | --http-hostname | serve requests for this HOSTNAME only pro |
Using a Reverse Proxy
Advanced users can alternatively set the security headers listed above in combination with a reverse proxy running in front of their instances if they have special requirements. Please note, however, that our team can only provide you with limited technical support in this case and we only recommend this if you have the experience required.
PhotoPrism® Documentation
For more information on specific features, services and related resources, please refer to the other documentation available in our Knowledge Base and User Guide:
