---
title: 'Configuration'
---
# Backend Config Reference
The backend can be configured in 3 different ways:
- Make a `config.json` file in the working directory of the application (root of repository)
- Make a `.env` file in the working directory of the application (root of repository)
- Add environment variables to your system (or container)
These different config options are all mutually inclusive, so you can use multiple at the same time if you want to.
With any of these configurations, you have to have atleast three variables set for the server to function:
[`postgres.connection`](#postgres-connection-⚠), [`crypto.sessionSecret`](#crypto-session-secret-⚠) and [`meta.name`](#meta-name-⚠)
### Method 1 - `config.json`
This method uses nesting, so the key `server.basePath` with the value of `"/backend"` will result in a file that looks like this:
```json
{
"server": {
"basePath": "/backend"
}
}
```
### Method 2 - `.env`
The environment variable names use double underscores as separators and `MWB_` as the prefix. So the key `server.basePath` will result in the .env file like this:
```sh
MWB_SERVER__BASE_PATH=/backend
```
### Method 3 - Environment
This method is identical to the `.env` method listed above, but you add the variables to the environment instead of writing it in a file.
# Reference
## Server
All configurations related to the HTTP server.
### `server.port`
- Type: `number`
- Default: `8080`
Port number that the HTTP server listens on.
### `server.cors`
- Type: `string`
- Default: `""`
- Example: `"https://movie-web.app https://testing.movie-web.app"`
Space separated list of allowed origins.
### `server.allowAnySite`
- Type: `boolean`
- Default: `false`
If set to true, it allows any origin to access the site. This overwrites the [`server.cors`](#server-cors) setting.
### `server.trustProxy`
- Type: `boolean`
- Default: `false`
Controls whether the server should trust reverse proxy headers. This is used to identify users for ratelimiting.
### `server.trustCloudflare`
- Type: `boolean`
- Default: `false`
Controls whether the server should trust Cloudflare IP headers. This is used to identify users for ratelimiting.
### `server.basePath`
- Type: `string`
- Default: `"/"`
Prefix for which path is being listened on. Useful if you're hosting on `example.com/backend` for example.
If this is set, you shouldn't apply URL rewriting before proxying.
## Logging
All configurations related to how the HTTP server will log. This is not related to the [metrics](./introduction.mdx#metrics) endpoint.
### `logging.format`
- Type: `string` | `"pretty"` | `"json"`
- Default: `"pretty"`
Logging format to use, should be either `pretty` or `json`, most users should probably use the default.
## Postgres
All configurations related to how postgres functions.
### `postgres.connection` ⚠
- Type: `string`
- Example: `"postgresql://localhost:5432"`
Connection URL for postgres instance, should contain the database in the URL.
**Required. The backend will not start if this is not configured.**
### `postgres.migrateOnBoot`
- Type: `boolean`
- Default: `false`
Run all [migrations](./introduction.mdx#migrations) that haven't ran yet on boot.
If you have multiple replicas running, this can cause a lot of issues. We recommend only using this if you run only one replica.
### `postgres.debugLogging`
- Type: `boolean`
- Default: `false`
Log all postgres queries in the console. Useful for debugging issues with the database.
This outputs sensitive, **DO NOT** run it in production.
### `postgres.ssl`
- Type: `boolean`
- Default: `false`
Enable SSL for postgres connections. Useful if you're using a hosted postgres database.
## Cryptography
All configurations related to cryptography.
### `crypto.sessionSecret` ⚠
- Type: `string`
The secret used to sign sessions. **Must be at least 32 characters long.**
**Required. The backend will not start if this is not configured.**
## Meta
These options configure how the server will display itself to the frontend.
### `meta.name` ⚠
- Type: `string`
- Example: `"Unofficial movie-web"`
The name of the backend instance, this will be displayed to users who try to create an account.
**Required. The backend will not start if this is not configured.**
### `meta.description`
- Type: `string`
- Default: `""`
- Example: `"This is not an official instance of movie-web"`
The description of the backend instance, this will be displayed to users who try to create an account.
## Captcha
All configurations related to adding captcha functionality. Captchas' help to protect your server from bot attacks.
### `captcha.enabled`
- Type: `boolean`
- Default: `false`
Enables [Recaptcha](https://www.google.com/recaptcha/about/) support for user registration and login. [You can follow this guide to create a Recaptcha key](https://cloud.google.com/recaptcha-enterprise/docs/create-key-website#create-key).
If this is enabled, all other captcha related settings are required.
### `captcha.secret`
- Type: `string`
- Default: `""`
- Example: `"sjgaJ@3djasFVx"`
[Google Recaptcha](https://www.google.com/recaptcha/about/) secret key.
### `captcha.clientKey`
- Type: `string`
- Default: `""`
- Example: `"2jf853z5bc63bvDb2323FAda"`
[Google Recaptcha](https://www.google.com/recaptcha/about/) site key.
## Ratelimits
All configuration options related to adding ratelimiting functionality. Helps to protect against bot attacks or spammy users.
Make sure your IP headers are properly forwarded if you're using a reverse proxy. Also see [`server.trustProxy`](#server-trust-proxy).
### `ratelimits.enabled`
- Type: `boolean`
- Default: `false`
Enables ratelimiting some more expensive endpoints.
If this is enabled, all other ratelimit related settings are required.
### `ratelimits.redisUrl`
- Type: `string`
- Default: `""`
- Example: `"redis://localhost:6379"`
Redis connection URL for storing ratelimit data. You can use a plain redis instance for this, no modules are required.