PhotoPrism® Pro includes the following additional config options, as well as more secure default settings to protect your instance by blocking vulnerability scanners and preventing the exploitation of newly discovered issues:
| Environment | CLI Flag | Default | Description |
|---|---|---|---|
| PHOTOPRISM_DISABLE_STS | –disable-sts | false | disables HTTP Strict-Transport-Security (STS) header |
| PHOTOPRISM_STS_SECONDS | –sts-seconds | 31536000 | TIME for the browser to remember that the site is to be accessed only via HTTPS (0 to disable) |
| PHOTOPRISM_STS_SUBDOMAINS | –sts-subdomains | false | applies rule to all subdomains |
| PHOTOPRISM_STS_PRELOAD | –sts-preload | false | allows submission to Google’s HSTS preload service |
| PHOTOPRISM_REQUEST_LIMIT | –request-limit | 500 | maximum number of concurrent HTTP REQUESTS allowed from a single IP |
| PHOTOPRISM_REQUEST_INTERVAL | –request-interval | 5ms | average DURATION between HTTP requests from a single IP (0-1000ms) |
| PHOTOPRISM_LOGIN_LIMIT | –login-limit | 10 | maximum number of consecutive failed LOGINS from a single IP |
| PHOTOPRISM_LOGIN_INTERVAL | –login-interval | 1m0s | average DURATION between failed logins from a single IP (0-86400s) |
| PHOTOPRISM_IPS_LIMIT | –ips-limit | 3 | maximum number of malicious request ATTEMPTS before a client IP is blocked (-1 to disable) |
| PHOTOPRISM_IPS_INTERVAL | –ips-interval | 1h0m0s | average DURATION between malicious request attempts from a single IP (0-86400s) |
| PHOTOPRISM_HTTP_CSP | –http-csp | HTTP Content-Security-Policy (CSP) HEADER |
|
| PHOTOPRISM_HTTP_CTO | –http-cto | nosniff | HTTP X-Content-Type-Options HEADER |
| PHOTOPRISM_HTTP_COOP | –http-coop | same-origin | HTTP Cross-Origin-Opener-Policy (COOP) HEADER |
| PHOTOPRISM_HTTP_REFERRER_POLICY | –http-referrer-policy | same-origin | HTTP Referrer-Policy HEADER |
| PHOTOPRISM_HTTP_FRAME_OPTIONS | –http-frame-options | DENY | HTTP X-Frame-Options HEADER |
| PHOTOPRISM_HTTP_HOSTNAME | –http-hostname | serve requests for this HOSTNAME only |
Using a Reverse Proxy
Advanced users can alternatively set the security headers listed above in combination with a reverse proxy running in front of their instances if they have special requirements. Please note, however, that our team can only provide you with limited technical support in this case and we only recommend this if you have the experience required.
PhotoPrism® Documentation
For more information on specific features, services and related resources, please refer to the other documentation available in our Knowledge Base and User Guide:
