Plain is headed towards 1.0! Subscribe for development updates →

Plain
Docs
plain
plain
runtime
global_settings.py 
  1"""
  2Default Plain settings. Override these with settings in the module pointed to
  3by the PLAIN_SETTINGS_MODULE environment variable.
  4"""
  5
  6####################
  7# CORE             #
  8####################
  9
 10DEBUG: bool = False
 11
 12# Hosts/domain names that are valid for this site.
 13# "*" matches anything, ".example.com" matches example.com and all subdomains
 14ALLOWED_HOSTS: list[str] = []
 15
 16# Local time zone for this installation. All choices can be found here:
 17# https://en.wikipedia.org/wiki/List_of_tz_zones_by_name (although not all
 18# systems may support all possibilities). This is interpreted as the default
 19# user time zone.
 20TIME_ZONE: str = "UTC"
 21
 22# Default charset to use for all Response objects, if a MIME type isn't
 23# manually specified. It's used to construct the Content-Type header.
 24DEFAULT_CHARSET = "utf-8"
 25
 26# List of strings representing installed packages.
 27INSTALLED_PACKAGES: list[str] = []
 28
 29# Whether to append trailing slashes to URLs.
 30APPEND_SLASH = True
 31
 32# Default headers for all responses.
 33DEFAULT_RESPONSE_HEADERS = {
 34    # "Content-Security-Policy": "default-src 'self'",
 35    # https://hstspreload.org/
 36    # "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
 37    "Cross-Origin-Opener-Policy": "same-origin",
 38    "Referrer-Policy": "same-origin",
 39    "X-Content-Type-Options": "nosniff",
 40    "X-Frame-Options": "DENY",
 41}
 42
 43# Whether to redirect all non-HTTPS requests to HTTPS.
 44HTTPS_REDIRECT_ENABLED = True
 45HTTPS_REDIRECT_EXEMPT = []
 46HTTPS_REDIRECT_HOST = None
 47
 48# If your Plain app is behind a proxy that sets a header to specify secure
 49# connections, AND that proxy ensures that user-submitted headers with the
 50# same name are ignored (so that people can't spoof it), set this value to
 51# a tuple of (header_name, header_value). For any requests that come in with
 52# that header/value, request.is_https() will return True.
 53# WARNING! Only set this if you fully understand what you're doing. Otherwise,
 54# you may be opening yourself up to a security risk.
 55HTTPS_PROXY_HEADER = None
 56
 57# Whether to use the X-Forwarded-Host and X-Forwarded-Port headers
 58# when determining the host and port for the request.
 59USE_X_FORWARDED_HOST = False
 60USE_X_FORWARDED_PORT = False
 61
 62# A secret key for this particular Plain installation. Used in secret-key
 63# hashing algorithms. Set this in your settings, or Plain will complain
 64# loudly.
 65SECRET_KEY: str
 66
 67# List of secret keys used to verify the validity of signatures. This allows
 68# secret key rotation.
 69SECRET_KEY_FALLBACKS: list[str] = []
 70
 71URLS_ROUTER: str
 72
 73# List of upload handler classes to be applied in order.
 74FILE_UPLOAD_HANDLERS = [
 75    "plain.internal.files.uploadhandler.MemoryFileUploadHandler",
 76    "plain.internal.files.uploadhandler.TemporaryFileUploadHandler",
 77]
 78
 79# Maximum size, in bytes, of a request before it will be streamed to the
 80# file system instead of into memory.
 81FILE_UPLOAD_MAX_MEMORY_SIZE = 2621440  # i.e. 2.5 MB
 82
 83# Maximum size in bytes of request data (excluding file uploads) that will be
 84# read before a SuspiciousOperation (RequestDataTooBig) is raised.
 85DATA_UPLOAD_MAX_MEMORY_SIZE = 2621440  # i.e. 2.5 MB
 86
 87# Maximum number of GET/POST parameters that will be read before a
 88# SuspiciousOperation (TooManyFieldsSent) is raised.
 89DATA_UPLOAD_MAX_NUMBER_FIELDS = 1000
 90
 91# Maximum number of files encoded in a multipart upload that will be read
 92# before a SuspiciousOperation (TooManyFilesSent) is raised.
 93DATA_UPLOAD_MAX_NUMBER_FILES = 100
 94
 95# Directory in which upload streamed files will be temporarily saved. A value of
 96# `None` will make Plain use the operating system's default temporary directory
 97# (i.e. "/tmp" on *nix systems).
 98FILE_UPLOAD_TEMP_DIR = None
 99
100# User-defined overrides for error views by status code
101HTTP_ERROR_VIEWS: dict[int] = {}
102
103##############
104# MIDDLEWARE #
105##############
106
107# List of middleware to use. Order is important; in the request phase, these
108# middleware will be applied in the order given, and in the response
109# phase the middleware will be applied in reverse order.
110MIDDLEWARE: list[str] = []
111
112########
113# CSRF #
114########
115
116# Settings for CSRF cookie.
117CSRF_COOKIE_NAME = "csrftoken"
118CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52  # 1 year
119CSRF_COOKIE_DOMAIN = None
120CSRF_COOKIE_PATH = "/"
121CSRF_COOKIE_SECURE = True
122CSRF_COOKIE_HTTPONLY = False
123CSRF_COOKIE_SAMESITE = "Lax"
124CSRF_HEADER_NAME = "CSRF-Token"
125CSRF_FIELD_NAME = "_csrftoken"
126CSRF_TRUSTED_ORIGINS: list[str] = []
127
128###########
129# LOGGING #
130###########
131
132# Custom logging configuration.
133LOGGING = {}
134
135###############
136# ASSETS #
137###############
138
139# Whether to redirect the original asset path to the fingerprinted path.
140ASSETS_REDIRECT_ORIGINAL = True
141
142# If assets are served by a CDN, use this URL to prefix asset paths.
143# Ex. "https://cdn.example.com/assets/"
144ASSETS_BASE_URL: str = ""
145
146####################
147# PREFLIGHT CHECKS #
148####################
149
150# List of all issues generated by system checks that should be silenced. Light
151# issues like warnings, infos or debugs will not generate a message. Silencing
152# serious issues like errors and criticals does not result in hiding the
153# message, but Plain will not stop you from e.g. running server.
154PREFLIGHT_SILENCED_CHECKS = []
155
156#############
157# Templates #
158#############
159
160TEMPLATES_JINJA_ENVIRONMENT = "plain.templates.jinja.DefaultEnvironment"
161
162#########
163# Shell #
164#########
165
166SHELL_IMPORT: str = ""