7. Environment Variables
STIG Manager is configured via its Environment Variables
Note
Environment variables starting with STIGMAN_DEV_ should generally not be changed from their default values in a production environment.
Variable |
Description |
Affects |
|---|---|---|
STIGMAN_API_ADDRESS |
Default
0.0.0.0The IP address on which the the API server will listen
|
API |
STIGMAN_API_MAX_JSON_BODY |
Default
5242880The maximum size in bytes of the request body when Content-Type is application/json
|
API |
STIGMAN_API_MAX_UPLOAD |
Default
1073741824The maximum size in bytes of the file uploaded with Content-Type multipart/form-data
|
API |
STIGMAN_API_PORT |
Default
54000The TCP port on which the server will listen
|
API |
STIGMAN_CLASSIFICATION |
Default
USets the classification banner, if any. Available values:
NONE U CUI C S TS SCI |
API, Client |
STIGMAN_CLIENT_API_BASE |
Default
apiThe base URL for Client requests to the API relative to
window.location |
Client |
STIGMAN_CLIENT_DIRECTORY |
Default
./clientsThe location of the web client files, relative to the API source directory. Note that if running source from a clone of the GitHub repository, the client is located at ../../clients relative to the API directory.
|
API, Client |
STIGMAN_CLIENT_DISABLED |
Default
falseWhether to not serve the reference web client
|
Client |
STIGMAN_CLIENT_DISPLAY_APPMANAGERS |
Default
trueWhether to display application managers the home page of web client
|
Client |
STIGMAN_CLIENT_EXTRA_SCOPES |
No default
A space separated list of OAuth2 scopes to request in addition to
stig-manager:stig stig-manager:stig:read stig-manager:collection stig-manager:user stig-manager:user:read stig-manager:op. Some OIDC providers (Okta) generate a refresh token only if the scope offline_access is requested |
Client |
STIGMAN_CLIENT_ID |
Default
stig-managerThe OIDC clientId of the web client
|
Client |
STIGMAN_CLIENT_ADMIN_TIMEOUT |
Default
0The maximum time (in minutes) a user with admin privileges can be inactive in the web client before discarding their access token and requiring reauthorization. Activity is defined as mouse click, keypress, or scrolling in any tab or window of a same-origin browsing context group. Set to zero to disable idle detection.
|
Client |
STIGMAN_CLIENT_OIDC_PROVIDER |
Default Value of
STIGMAN_OIDC_PROVIDERClient override of the base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended by the client when fetching metadata. |
Client |
STIGMAN_CLIENT_REAUTH_ACTION |
Default
popupHow to prompt for re-authentication when user credentials expire. Available values:
popup, iframe, tab, or reload. See detailed description. |
Client |
STIGMAN_CLIENT_RESPONSE_MODE |
Default
fragmentThe response_mode the web client should specify when requesting an authorization code from the OIDC provider. Available values:
fragment, query |
Client |
STIGMAN_CLIENT_SCOPE_PREFIX |
No default
String used as a prefix for each scope when authenticating to the OIDC Provider. Some providers (Azure AD) expect scope requests in the format
api://<application_id>/<scope>, where api://<application_id>/ is the required prefix. |
Client |
STIGMAN_CLIENT_STATE_EVENTS |
Default
trueWhether the web client listens for server sent events (SSE) about the API state. Should only be disabled temporarily while resolving buffering issues on a reverse proxy.
|
Client |
STIGMAN_CLIENT_STRICT_PKCE |
Default
trueWhether the web client verifies the OIDC provider is advertising PKCE/S256 support in compliance with RFC 8414. A non-compliant provider supports PKCE/S256 without advertising it. Independent of this value, the web client always exclusively uses PKCE/S256 in the Authorization Code Flow.
|
Client |
STIGMAN_CLIENT_USER_TIMEOUT |
Default
0The maximum time (in minutes) a regular user can be inactive in the web client before discarding their access token and requiring reauthorization. Activity is defined as mouse click, keypress, or scrolling in any tab or window of a same-origin browsing context group. Set to zero to disable idle detection.
|
Client |
STIGMAN_CLIENT_WELCOME_IMAGE |
No default
The URL of an image hosted elsewhere that will be rendered in the Home tab Welcome widget. The STIGMan app does not serve the image itself, only the reference to it. The URL should be in relation to and accessible from the client’s browser. The image will be scaled to a max width or height of 125 pixels - If no alternate image is specified, the seal of the Department of the Navy (the project sponsor) will be displayed.
|
Client Appearance |
STIGMAN_CLIENT_WELCOME_LINK |
No default
Value of an optional link that will follow the Welcome message in the Home tab Welcome widget.
|
Client Appearance |
STIGMAN_CLIENT_WELCOME_MESSAGE |
No default
Text that will be displayed in the Home tab Welcome widget.
|
Client Appearance |
STIGMAN_CLIENT_WELCOME_TITLE |
Default
SupportThe tile that will be displayed for the custom Home tab Welcome message.
|
Client Appearance |
STIGMAN_DB_HOST |
Default
localhostThe database hostname or IP from to the API server
|
API |
STIGMAN_DB_MAX_CONNECTIONS |
Default
25The maximum size of the database connection pool
|
API |
STIGMAN_DB_PASSWORD |
No default
The password used to login to the database
|
API |
STIGMAN_DB_PORT |
Default
3306The database TCP port relative to the API server
|
API |
STIGMAN_DB_SCHEMA |
Default
stigmanThe schema where the STIG Manager object are found
|
API |
STIGMAN_DB_TLS_CA_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded CA certificate used to sign the database TLS certificate. Setting this variable enables TLS connections to the database.
|
API |
STIGMAN_DB_TLS_CERT_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded Client certificate used when authenticating the database client. Additionally requires setting values for
STIGMAN_DB_TLS_CA_FILE and STIGMAN_DB_TLS_KEY_FILE. |
API |
STIGMAN_DB_TLS_KEY_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded Client private key used when authenticating the database client. Additionally requires setting values for
STIGMAN_DB_TLS_CA_FILE and STIGMAN_DB_TLS_CERT_FILE. |
API |
STIGMAN_DB_USER |
Default
stigmanThe user account used to login to the database
|
API |
STIGMAN_DEPENDENCY_RETRIES |
Default
24During startup, the number of attempts made to establish connections to the database and OIDC Provider. Retries are made every 5 seconds and the API process exits if unsuccessful.
|
API |
STIGMAN_DEV_ALLOW_INSECURE_TOKENS |
Default
falseControls whether known insecure JWT signing keys are allowed. Only for development/testing purposes. Setting to ‘true’ is NOT recommended for production environments.
|
API |
STIGMAN_DEV_LOG_OPT_STATS |
Default
trueControls whether the API will track API operation statistics used for populating
Requests portion of /op/appinfo response body. Setting to ‘false’ is NOT recommended for production environments, as this info can be useful for troubleshooting. |
API |
STIGMAN_DEV_RESPONSE_VALIDATION |
Default
noneControls whether the API will perform response validation on API responses. If set to ‘logOnly’ the API will output log entries indicating deviations from the OAS specification. Intended for development/testing purposes. Available values:
none, logOnly |
API |
STIGMAN_DOCS_DIRECTORY |
Default
./docsThe location of the documentation files, relative to the API source directory. Note that if running source from a clone of the GitHub repository, the docs are located at ../../docs/_build/html relative to the API directory.
|
API, documentation |
STIGMAN_DOCS_DISABLED |
Default
falseWhether to not serve the project Documentation. NOTE: If you choose to serve the Client from the API container but not the Documentation, the links do the Docs on the home page will not work.
|
Documentation |
STIGMAN_EXPERIMENTAL_APPDATA |
Default
falseSet to
true to enable the experimental AppData import/export API endpoints and User Interface. |
API, Client |
STIGMAN_EXPERIMENTAL_LOGSTREAM |
Default
trueSet to
false to disable the experimental WebSocket for streaming API logs and the corresponding User Interface. |
API, Client |
STIGMAN_LOG_LEVEL |
Default
3Controls the granularity of the generated log output, from 1 to 4. Each level is inclusive of the ones before it. Level 1 will log only errors, level 2 includes warnings, level 3 includes status and transaction logs, and level 4 includes debug-level logs
|
API |
STIGMAN_LOG_MODE |
Default
combinedControls whether the logs will create one “combined” log entry for http requests that includes both the request and response information; or two separate log entries, one for the request and one for the response, that can be correlated via a generated Request GUID in each entry
|
API |
STIGMAN_JWKS_CACHE_MAX_AGE |
Default
10The time in minutes after which the API’s cache of JWT signing keys is deemed stale and the API becomes unavailable. Cache refreshes are scheduled at intervals of half this value and also occur when an unknown signing key is presented. Scheduled refresh failures are retried every 10 seconds.
|
API |
STIGMAN_JWT_ASSERTION_CLAIM |
Default
jtiThe access token claim whose value is the OIDC provider’s Assertion ID. Updates to this value trigger the API to update a User’s
lastClaims property. The claim MUST NOT be nested and MUST be a valid ECMAScript identifier. |
API |
STIGMAN_JWT_AUD_VALUE |
No default
If present, a string which must be included in the access token
aud claim for requests to endpoints requiring authorization. |
API |
STIGMAN_JWT_EMAIL_CLAIM |
Default
emailThe access token claim whose value is the user’s email address. The claim MUST NOT be nested and MUST be a valid ECMAScript identifier.
|
API, Client |
STIGMAN_JWT_NAME_CLAIM |
Default
nameThe access token claim whose value is the user’s full name. The claim MUST NOT be nested and MUST be a valid ECMAScript identifier.
|
API, Client |
STIGMAN_JWT_PRIVILEGES_CLAIM |
Default
realm_access.rolesThe access token claim whose value is the user’s privileges. The claim MAY be nested but SHOULD avoid invalid ECMAScript identifiers.
|
API, Client |
STIGMAN_JWT_SCOPE_CLAIM |
Default
scopeThe access token claim whose value is the user’s scopes. Some OIDC Providers (Okta, Azure AD) use the claim
scp to enumerate scopes. The claim MUST NOT be nested and MUST be a valid ECMAScript identifier. |
API, Client |
STIGMAN_JWT_SERVICENAME_CLAIM |
Default
clientIdThe access token claim whose value is the user’s client. The claim MUST NOT be nested and MUST be a valid ECMAScript identifier.
|
API, Client |
STIGMAN_JWT_USERNAME_CLAIM |
Default
preferred_usernameThe access token claim whose value is the user’s username. The claim MUST NOT be nested and MUST be a valid ECMAScript identifier.
|
API, Client |
STIGMAN_OIDC_PROVIDER |
Default
http://localhost:8080/auth/realms/stigmanThe base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended when fetching metadata. |
API, Client |
STIGMAN_SWAGGER_ENABLED |
Default
falseWhether to enable the SwaggerUI SPA at /api-docs
|
API |
STIGMAN_SWAGGER_OIDC_PROVIDER |
Default Value of
STIGMAN_OIDC_PROVIDERSwaggerUI override of the base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended by the SwaggerUI when fetching metadata. |
API |
STIGMAN_SWAGGER_REDIRECT |
Default
http://localhost:54000/api-docs/oauth2-redirect.htmlThe redirect URL sent by SwaggerUI to the OIDC provider when authorizing
|
API |
STIGMAN_SWAGGER_SERVER |
Default
http://localhost:54000/apiThe API server URL relative to the SwaggerUI
|
API |
Variable |
Description |
Affects |
|---|---|---|
NODE_EXTRA_CA_CERTS |
[your CA certificate file path] Set this Node.js environment variable to direct Node to accept CA certificates you have provided, in addition to its built-in CA certs. |
Node.js, API |