-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy path.env.example
More file actions
135 lines (104 loc) · 4.81 KB
/
.env.example
File metadata and controls
135 lines (104 loc) · 4.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# MailAccess Environment Configuration
# Application Environment
# Can be 'development' or 'production'
MAILACCESS_ENV=development
# Database Connection
# Leave empty to use SQLite. Default: sqlite+aiosqlite:///./data/mailaccess.db
# To use Postgres, set this to your connection string. Example:
# DATABASE_URL=postgresql://user:password@db:5432/mailaccess
# DATABASE_URL=
# Backend Configuration
# The URL where the backend is accessible
BACKEND_URL=http://localhost:8000
# CORS Allowed Origins
# CORS_ORIGINS must be a JSON array - do not use a plain string
# Correct: CORS_ORIGINS=["http://localhost:3000"]
# Wrong: CORS_ORIGINS=http://localhost:3000
CORS_ORIGINS=["http://localhost:3000","http://localhost:5173"]
# Application debug mode (true/false)
DEBUG=false
# Log level: DEBUG, INFO, WARNING, ERROR
LOG_LEVEL=INFO
# Investigation Settings
# Maximum number of modules to run concurrently
MAX_CONCURRENT_MODULES=10
# Per-module timeout in seconds
MODULE_TIMEOUT_SECONDS=30
# MODULE_TIMEOUT_OVERRIDES must be a JSON object - do not use a plain string
# Correct: MODULE_TIMEOUT_OVERRIDES={"whatsmyname": 200}
# Wrong: MODULE_TIMEOUT_OVERRIDES=whatsmyname=200
MODULE_TIMEOUT_OVERRIDES={
"whatsmyname": 200,
"account_discovery": 120,
"user_scanner": 180,
"breach_deep": 90
}
# Whether to enable investigation history persistence
ENABLE_HISTORY=true
# Account discovery module: probes registration/reset endpoints across 57 platforms.
ENABLE_ACCOUNT_DISCOVERY=true # Holehe 120+ platforms
# WhatsMyName module: username enumeration across 700+ platforms.
ENABLE_WHATSMYNAME=true # 700+ platform sweep
# User-scanner: email registration probes across 205+ platforms (user-scanner package).
ENABLE_USER_SCANNER=true # 205+ platform vectors
# Username pivot: re-checks WhatsMyName using usernames recovered from primary findings.
ENABLE_USERNAME_PIVOT=true # username cross-check
# Permutation discovery: auto-generates email variations and probes each.
ENABLE_PERMUTATION_DISCOVERY=true # email variations
# Email discovery: searches public results for other emails tied to recovered names.
ENABLE_EMAIL_DISCOVERY=false # opt-in: needs SERPAPI_KEY
# GHunt: deep Google account intelligence (GAIA ID, YouTube channel, Maps reviews, profile photo).
ENABLE_GHUNT=false # opt-in: needs cookie setup
# Absolute path to the ghunt_creds.json file generated by `ghunt login`
GHUNT_CREDS_PATH=
# Phone intel: validate recovered phone numbers and probe WhatsApp/Telegram (post-primary).
ENABLE_PHONE_INTEL=true # phone enrichment
# Messaging hints: best-effort Telegram username checks during primary gather.
ENABLE_MESSAGING_HINTS=true # Telegram/WhatsApp hints
# Deep breach mode: registration/reset probing against high-severity breached domains.
ENABLE_BREACH_DEEP=false # opt-in: slow 90s probe
BREACH_DEEP_LIMIT=100
BREACH_DEEP_FULL=false
# Optional proxy for all requests (e.g. Tor or HTTP proxy)
# Example: socks5://127.0.0.1:9050 (Tor) or http://user:pass@proxy:port
PROXY_URL=
# Set to true to activate the proxy. Proxy is ignored when false.
PROXY_ENABLED=false
# Per-domain rate limiting
# Set to false to disable all rate limiting (not recommended in production)
RATE_LIMIT_ENABLED=true
# Default minimum delay between requests to the same domain (milliseconds)
REQUEST_DELAY_MS=1000
# Per-domain overrides as a JSON object (values in milliseconds)
# Example: RATE_LIMIT_OVERRIDES={"api.github.com": 500, "api.xposedornot.com": 1000, "haveibeenpwned.com": 1500}
RATE_LIMIT_OVERRIDES={}
# Legacy per-domain delays in seconds (JSON object): RATE_LIMIT_DELAYS={"haveibeenpwned.com": 1.5}
RATE_LIMIT_DELAYS={}
# Integrations (Webhooks)
SLACK_WEBHOOK_URL=
DISCORD_WEBHOOK_URL=
INTEGRATION_WEBHOOK_URL=
INTEGRATION_WEBHOOK_SECRET=
# API Keys (all optional, features will be disabled if key is missing)
# MAILACCESS_API_KEY restricts access to the REST API if set
MAILACCESS_API_KEY=
# Have I Been Pwned API Key for breach data (hibp module)
HIBP_API_KEY=
# XposedOrNot uses public breach endpoints and does not require an API key.
# LeakCheck uses public breach endpoints and does not require an API key.
# BreachDirectory API Key (RapidAPI — breachdirectory module)
# Free tier: https://rapidapi.com/rohan-patra/api/breachdirectory
BREACHDIRECTORY_API_KEY=
# SerpAPI Key for Google dork queries (google_dork and email_discovery modules)
SERPAPI_KEY=
# GitHub personal access token (optional)
# Required for github_commits commit search
# Without it, only user profile search runs
# Get at: github.com/settings/tokens
GITHUB_TOKEN=
# Shodan API Key for host intelligence (shodan module and domain_intel)
SHODAN_API_KEY=
# EmailRep API Key for email reputation checking (emailrep module, optional - raises rate limits)
EMAILREP_API_KEY=
# Hunter.io API Key for email deliverability checks (hunter_io module)
HUNTER_IO_API_KEY=