PhotoPrism® Plus includes the following additional config options, as well as more secure default settings to protect your instance by blocking vulnerability scanners and preventing the exploitation of newly discovered issues:
| Environment | CLI Flag | Default | Description |
|---|---|---|---|
| PHOTOPRISM_STS_SECONDS | --sts-seconds | 31536000 | TIME for the browser to remember that the site is to be accessed only via HTTPS (0 to disable) plus |
| PHOTOPRISM_STS_SUBDOMAINS | --sts-subdomains | rule applies to all subdomains as well plus | |
| PHOTOPRISM_STS_PRELOAD | --sts-preload | submit to Google's HSTS preload service plus | |
| PHOTOPRISM_LOGIN_LIMIT | --login-limit | 10 | maximum number of consecutive failed LOGIN ATTEMPTS from a single IP plus |
| PHOTOPRISM_LOGIN_INTERVAL | --login-interval | 1m0s | average DURATION between failed LOGIN attempts from a single IP (0-86400s) plus |
| PHOTOPRISM_IPS_LIMIT | --ips-limit | 3 | maximum number of malicious request ATTEMPTS before a client IP is blocked (-1 to disable) plus |
| PHOTOPRISM_IPS_INTERVAL | --ips-interval | 1h0m0s | average DURATION between malicious request attempts from a single IP (0-86400s) plus |
| PHOTOPRISM_HTTP_CSP | --http-csp | HTTP Content-Security-Policy (CSP) HEADER plus |
|
| PHOTOPRISM_HTTP_CTO | --http-cto | nosniff | HTTP X-Content-Type-Options HEADER plus |
| PHOTOPRISM_HTTP_COOP | --http-coop | same-origin | HTTP Cross-Origin-Opener-Policy (COOP) HEADER plus |
| PHOTOPRISM_HTTP_REFERRER_POLICY | --http-referrer-policy | same-origin | HTTP Referrer-Policy HEADER plus |
| PHOTOPRISM_HTTP_FRAME_OPTIONS | --http-frame-options | DENY | HTTP X-Frame-Options HEADER plus |
| PHOTOPRISM_HTTP_XSS_PROTECTION | --http-xss-protection | 1; mode=block | HTTP X-XSS-Protection HEADER plus |
| PHOTOPRISM_HTTP_HOSTNAME | --http-hostname | serve requests for this HOSTNAME only plus |
Using a Reverse Proxy
Providing these additional config options is a special service we offer to our members. However, advanced users can set the same web security headers in combination with a reverse proxy running in front of their instances if they did not sign up for a membership or have special requirements.
Should you decide to use alternative solutions, such as deploying a proxy or a web application firewall (WAF) in front of PhotoPrism, please note that our team will not be able to provide you with technical support and we recommend this only if you have the experience required.
PhotoPrism® Documentation
For detailed information on specific product features, services, and related resources, see our Knowledge Base, or read the User Guide for help using the web user interface:
