Environment

Backend

• ADMIN_USER / ADMIN_PASS — bootstrap admin credentials validated during login
• JWT_SECRET — HMAC secret for issuing and verifying JWT admin sessions (required)
• SESSION_TTL_SECONDS — lifetime of issued JWTs in seconds (min 300, max 43200; default 3600)
• DATABASE_PATH — SQLite file path (default ./invio.db inside container)
• BACKEND_PORT or PORT — listen port (default 3000)
• BASE_URL — optional base URL used when generating public share links
• Security headers
  • SECURE_HEADERS_DISABLED — set true only to disable the default hardened headers (for development)
  • ENABLE_HSTS — emit Strict-Transport-Security when requests arrive over HTTPS
  • CONTENT_SECURITY_POLICY — override the default API CSP if you expose extra hosts
• Demo mode controls
  • DEMO_MODE — set true to enable demo mode (writable sandbox with periodic resets)
  • DEMO_DB_PATH — path to pristine demo database snapshot used for resets
  • DEMO_RESET_HOURS — interval in hours between automatic resets (default 0.5)
  • DEMO_RESET_ON_START — reset database on app startup (default true)

Frontend

• PORT — UI listen port (default 8000 in Compose)
• BACKEND_URL — base URL for backend API (e.g. http://backend:3000 in Compose)
• Auth/session tuning
  • SESSION_TTL_SECONDS — mirrors backend default for cookie expiry (default 3600)
  • COOKIE_SECURE — set false for local HTTP dev; defaults to true (HTTPS only cookies)
• Security headers
  • FRONTEND_SECURE_HEADERS_DISABLED — disable hardened headers (development only, set true)
  • ENABLE_HSTS — emit Strict-Transport-Security when the site is served via HTTPS
  • FRONTEND_CONTENT_SECURITY_POLICY — override the default frontend CSP (allows Tailwind/DaisyUI/Google Fonts by default)

Docker Compose

• Named volume invio_data stores persistent data under /app/data in the backend container.
• Mount ./VERSION into the frontend container if you override the published images and want the dashboard version card to display accurately.