diff --git a/content/configuration/security-limits.md b/content/configuration/security-limits.md index 44f51df5..079fd405 100644 --- a/content/configuration/security-limits.md +++ b/content/configuration/security-limits.md @@ -34,6 +34,7 @@ This page documents environment variables. For in-app security configuration (pe | `USER_REGISTER_URL_ALLOW_LIST` | List of URLs that can be used as `verification_url` in the `/users/register` endpoint. | | | `IP_TRUST_PROXY` | Settings for the Express.js trust proxy setting. | false | | `IP_CUSTOM_HEADER` | What custom request header to use for the IP address. | false | +| `IP_CUSTOM_HEADER_WARNINGS` | Whether to log a warning when `IP_CUSTOM_HEADER` is set but a request does not contain a valid IP in that header. Set to `false` to silence noise from health checks or non-proxied traffic. | `true` | | `IMPORT_IP_DENY_LIST`[2] | Deny importing files from these IP addresses / IP ranges / CIDR blocks. Use `0.0.0.0` to match any local IP address. | `0.0.0.0,169.254.169.254` | | `HSTS_ENABLED` | Enable the Strict-Transport-Security policy header. When enabled, Directus will send the `Strict-Transport-Security: max-age=15552000; includeSubDomains` header on all responses. | `false` | | `HSTS_*` | Custom overrides for the Strict-Transport-Security header. See [helmet's documentation](https://helmetjs.github.io). Example: `HSTS_MAX_AGE=63072000` | |