App Configuration

Config File

The configuration settings for your app are located in config/app.jcon.

Config Syntax

THT uses JCON syntax for configuration, which is very simple to work with.

See JCON Configuration Format for more info.

Environment Config

It is common to have settings that are specific to the app environment. (e.g. 'local', 'staging', 'prod', etc.)

By default, THT will look for a config/app.local.jcon file, which will merge with and override the main config.

You can change the environment name by setting an environment variable APP_ENV.

For example, if APP_ENV is 'staging', then THT will look for config/app.staging.jcon.

SecurityEnvironment config files should not be checked into version control, because they usually contain sensitive data, like usernames and passwords.

Sections

There are 3 top-level sections:

`app`	Custom config for your app.
`routes`	See URL Router
`tht`	Config for THT itself. (See below)

There are 2 sections that should be set in your environment config because they contain sensitive connection info (i.e. passwords) and should not be checked into source control.

`databases`	See the Database Config.
`email`	See the Email Config.

Reading Config

Values be accessed with the Config module.

App config values are read-only.

To read a value under the app section, use Config.get(key).

`tht` Settings

The following keys are supported under the tht section, which affect the behavior of THT itself.

cacheGarbageCollectRate #

Default: 100

For every Cache SET operation, there is a 1-in-N chance the garbage collector will run, clearing out any expired keys from the Cache.

cacheGarbageCollectRate: 1000

compressOutput #

Default: true

Automatically apply GZIP compression to responses for Page.create(), Output.sendCss(), and Output.sendJs().

This reduces the total response size over the wire by up to 70%.

You might need to disable this if your webserver is already configured to compress responses.

compressOutput: true

contentSecurityPolicy (CSP) #

Default: default-src 'self' style-src 'unsafe-inline' * img-src * media-src * script-src 'nonce-___'

CSP is a list of restrictions on what kind of scripts or media can be loaded and executed on your site. These are enforced within the browser.

The default CSP allows media (images, etc) to be loaded from any domain, but requires script tags to have a server-generated nonce (unique per-request token) in order to run.

THT will automatically insert a nonce into any script tags present in your templates. Otherwise, call Web.nonce() to insert it manually.

See Content Security Policy (CSP).

devIp #

Default: none

If the app is not running on localhost, allow certain development features (e.g. Perf Panel, full error page, etc.) for only this IP address.

devIp: 123.45.67.89

downtime #

Default: false

Set to true to respond to all requests with a standard downtime page. Or set it to a custom URL in your document root directory.

This will return a 503 Service Unavailable HTTP response code.

downtime: true

downtime: /down.html

litemarkCustomTags #

Default: {}

A map of custom square tags applied to all [Litemark (-Lm) templ... (MISSING `]`)

litemarkCustomTags: {
    mytag1: <b>Tag {1}</b>
}

logErrors #

Default: true

If true, log errors to files/app.log.

Errors are not logged while in development mode, because a full error page is already displayed.

logErrors: true

logSlowDbQuerySecs #

Default: 10

If any database query takes longer than this duration (in seconds), the query will be logged to logs/slowDbQueries.txt.

logSlowDbQuerySecs: 5

maxPostSize #

Default: n/a

PHP sets this limit at startup time, so it must be set in your php.ini file instead.

To find your php.ini run this command:

$ tht info

Then set the value accordingly:

# Must be greater than or equal to `upload_max_filesize`
post_max_size = 5M

maxUploadSize #

Default: n/a

PHP sets this limit at startup time, so it must be set in your php.ini file instead.

To find your php.ini run this command:

$ tht info

Then set the value accordingly:

# Maximum allowed size for uploaded files.
upload_max_filesize = 5M

memoryLimitMb #

Default: 16

Maximum memory usage (megabytes) per request.

memoryLimitMb: 32

minifyAssetTemplates #

Default: true

Automatically minify -Css and -Js templates at compile time.

NOTE: After updating this setting, you may need to update your source file to trigger a re-compile.

minifyAssetTemplates: false

optimizeAssets #

Default: minify|gzip|images|timestamps

THT will scan your output and optimize any local image, css, and js assets that it finds.

Options are be combined via | character.

Options are:

minify: minification
gzip: compression
images: optimize images
timestamps: add cache timestamp to URL
none: turn off all optimizations

With everything turned on, this reduces the total asset size over the wire by up to 80%.

See Performance Optimization for more details.

optimizeAssets: minify|gzip|timestamps

passwordAttemptsPerHour #

Default: 30

Limit the number of failed password attempts per hour, to stifle brute force attacks. See Password.check.

Set to 0 to disable password rate limiting.

passwordAttemptsPerHour: 40

sendErrors #

Default: true

Automatically send debug information to the THT developers when an error occurs.

This is a great way to contribute to the THT project, by helping us see what kind of errors are most common.

It sends the erroneous line of code, the error message, and metrics around development time. No identifying information will ever be stored or disclosed publicly.

(NOTE: The default will likely change to false when THT reaches v1.0.)

sendErrors: true

sessionDurationHours #

Default: 24

Amount of time (hours) to wait after a user’s last request before their session expires. See Session.

sessionDurationHours: 2

showErrorPageForMins #

Default: 10

The amount of time (in minutes) since the app was last compiled, to show a full error page. Otherwise, you can find error information in data/files/app.log.

The error page will always be shown if the server is in testServer mode, it is running as localhost, or the request is coming from adminIp (see above).

showErrorPageForMins: 5

showPerfPanel #

Default: false

Display performance stats at the bottom of every web page. See Perf Panel.

showPerfPanel: true

showPrintPanel #

Default: true

Display or suppress the output of print() statements.

showPrintPanel: false

timezone #

Default: UTC

Timezone used for Date objects, log timestamps, etc. See the list of supported timezones.

NoteIt is a best practice to leave this as UTC. If you set this to a local timezone, you might experience Daylight Savings-related bugs and other inconsistencies.

timezone: America/Los_Angeles

turboMode #

Default: false

Set to heck yeah to make your app go faster, utilizing the Placebo effect.

turboMode: heck yeah

xDangerAllowJsEval #

Default: false

Add the 'unsafe-eval' directive to the Content Security Policy (CSP). This allows eval to be run within client-side JavaScript running on your site.

SecurityThe eval function is a commonly exploited vulnerability. Only set this to true if absolutely necessary.

xDangerAllowJsEval: false

App Configuration

Config File

Config Syntax

Environment Config

Sections

Reading Config

tht Settings

cacheGarbageCollectRate #

compressOutput #

contentSecurityPolicy (CSP) #

devIp #

downtime #

litemarkCustomTags #

logErrors #

logSlowDbQuerySecs #

maxPostSize #

maxUploadSize #

memoryLimitMb #

minifyAssetTemplates #

optimizeAssets #

passwordAttemptsPerHour #

sendErrors #

sessionDurationHours #

showErrorPageForMins #

showPerfPanel #

showPrintPanel #

timezone #

turboMode #

xDangerAllowJsEval #

See Also

`tht` Settings