Skip to main content
Figranium uses environment variables to configure key aspects of the server and automation environment. These variables are defined in src/server/constants.js.

Core Variables

VariableDefault ValueDescription
PORT11345The port the backend server listens on.
SESSION_SECRET(Required)A random string used to sign session cookies.
NODE_ENVproductionSet to development for local dev mode.
ALLOWED_IPS* (Open)Comma-separated list of allowed IP addresses or CIDR ranges.
ALLOW_PRIVATE_NETWORKStrueSet to false or 0 to block access to local/private networks (SSRF protection).
TRUST_PROXYfalseSet to true or 1 if running behind a reverse proxy (e.g., Nginx, AWS ALB).

Execution

VariableDefault ValueDescription
MAX_CONCURRENT_EXECUTIONS(unlimited)Maximum number of tasks that can run simultaneously. Excess requests are queued until a slot is available.
When set, Figranium queues incoming execution requests that exceed the limit and processes them in order as slots free up. Leave unset (or set to 0) for unlimited concurrency — this is the default and matches the behavior of earlier versions. This is useful when running on resource-constrained hosts or when you want to prevent a burst of scheduled tasks from overwhelming the browser pool.

Rate Limiting

VariableDefault ValueDescription
AUTH_RATE_LIMIT_MAX10Max failed login attempts per window (15 mins).
DATA_RATE_LIMIT_MAX100Max data requests (captures, logs) per window (15 mins).

VNC / Headful Debugging

VariableDefault ValueDescription
NOVNC_PORT54311Port for the noVNC web interface.

Feature Flags

VariableDefault ValueDescription
SESSION_COOKIE_SECUREfalseSet to true if serving over HTTPS.

Example .env File

PORT=11345
SESSION_SECRET=super_secret_key_12345
ALLOWED_IPS=127.0.0.1,192.168.1.0/24
ALLOW_PRIVATE_NETWORKS=false
TRUST_PROXY=true
AUTH_RATE_LIMIT_MAX=20
DATA_RATE_LIMIT_MAX=500
NOVNC_PORT=54311
SESSION_COOKIE_SECURE=true
MAX_CONCURRENT_EXECUTIONS=3

Notes

  • Allow Private Networks: By default, ALLOW_PRIVATE_NETWORKS is true, meaning figranium can access internal services. In production environments exposed to untrusted users, set this to false.
  • Session Secret: If SESSION_SECRET is not provided, figranium will generate a random one on startup (or read from data/session_secret.txt if available). However, for consistent sessions across restarts, set a static secret.
  • Allowed IPs: If you expose figranium to the internet, always restrict access using ALLOWED_IPS or authentication.