All configuration happens through environment variables.
These settings map directly to built-in Django settings. An environment
DJANGO_FOO controls the Django setting
FOO. Not all
Django settings are available for configuration.
Default values given refer to
Production configurations, which is the
default in Docker images.. Other configurations may have defaults not
A database URL, including any username and password, if needed.
A comma-seperated list of host values to accept. Examples:
.example.com(matches any subdomain of example.com),
*(allows everything). This setting is required to be set. If there are other protections (such as load balancers), setting this to
*presents no risk.
The name of a configuration preset to use for this environment. Useful values are
ProductionInsecure- For systems running without HTTPS
Build- This is used during CI to build static assets
Development- This is used by developers
Test- Used during unit tests
false. Enables Django’s debug mode. This should never be enabled on permanent servers. It is inefficient and leaks memory.
The URL prefix for media files (files uploaded to the service). Both host-relative (
/media/) and host-absolute URLs (
https://cdn.example.com/) work. Should end in a slash.
A string used as a seed for security features. This should be the same on all instances that share a database, and should be kept secret. It should be a long, random string. This field is required to be set in most environments.
The URL prefix for static files (files shipped with the service). Both host-relative and host-absolute URLs work. Should end in a slash.
Time to hold database connections open in seconds. If set to 0, will close every database connection immediately. Each worker (as controlled by
WEB_CONCURRENCY) will have its own connection.
These settings are specific to Normandy. In other words, they won’t be present in other Django projects.
Path to a Maxmind GeoIP Country database.
For security, Normandy can disable write access. This should be enabled on production servers. Servers with this setting set to
falseshouldn’t require write access to Postgres.
Sets the time in seconds immutable objects (such as Action implementations) are cached for with the HTTP
The number of proxies between users and Normandy. This is used to parse the
Optional. The DSN for Raven to report errors to Sentry.
Optional. The release for Raven to report to Sentry. Automatically set by production Docker images.
The URL where an Autograph server can be reached. If left blank, content signing will be disabled.
The pre-arranged ID to use for Hawk authentication with Autograph.
The pre-arranged secret key to use for Hawk authentication with Autograph.
Content with signature ages older than this are considered out of date and will be re-signed. The keys used by Autograph to sign content are generally only valid for a few weeks, and have a period of overlap where both the new key and old key are valid. The aim with this setting is to be as long as possible while still guaranteeing that actions will get resigned during the overlap period.
The time in seconds to cache the public keys retrieved from x5u URLs when verifying signatures. Set to 0 to disable caching.
The time in seconds to cache errors while trying to retrieve public keys from x5u URLs when verifying signatures. Set to 0 to disable error caching.
The time in seconds to wait to receive a response from the server when requesting x5u URLs to verify signatures. A value of 0 means no timeout.
If set, the value will be added to the URL for the x5u certificate chain as a query parameter named cachebust. This is used to force clients to re-fetch the certificate chain in cases where they’re caching an expired or otherwise invalid copy of the chain.
The URL where a Remote Settings server can be reached (e.g.
If left blank, the publication of recipes will be disabled.
The account username that is allowed to create records on the Remote Settings collection.
The account password to authenticate as DJANGO_REMOTE_SETTINGS_USERNAME.
The name of the Remote Settings collection where the recipes will be published.
The name of the Remote Settings bucket where the recipes will be published.
If the Remote Settings server does not return a successful response, the requests will be retried if the specified number is superior to zero.
The time in seconds to set in cache headers for cacheable APIs. This may be set to 0 in non-production environments to ease testing. In production environments, setting this value too low can be a denial-of-service risk.
Controls cache headers for cacheable APIs. If true, API views will send headers indicating that they can be cached according to
DJANGO_API_CACHE_TIME. If false, API views will send headers indicating that they should never be cached.
The time in seconds to set in cache headers for permanent redirects.
The time in seconds to set in cache headers for permanent redirects to change from HTTP to HTTPS.
If this setting is true, standard logging will be output in mozlog format. Otherwise logs will be unstructured.
report-uridirective in the Content Security Policy header. Attempts to violate the Content Security Policy are sent by the browser to this URL. See the MDN documentation on report-uri for more info.
The URL of a CDN that is backed by Normandy, if one is in use. This is used to enforce that immutable content is routed through the CDN. Must end with a slash (
The URL that allows direct access to Normandy, bypassing any CDNs. This is used for content that cannot be cached. If not specified, Normandy will assume direct access. Must end with a slash (
If enabled, Normandy will authenticate users by reading a header in requests. The expectation is that a proxy server, such as Nginx, will perform authentication using Open ID Connect, and then pass the unique ID of the user in a header.
DJANGO_OIDC_REMOTE_AUTH_HEADERfor which header Normandy reads this value from.
If this feature is enabled, the proxy server providing authentication must sanitize the headers passed along to Normandy. Specifically, the header defined in
DJANGO_OIDC_REMOTE_AUTH_HEADERmust not be passed on from the user.
Failing to do this will result in any client being able to authenticate as any user, with no checks.
True, this is the source of the user to authenticate. This must match Django header normalization, i.e. it must be capitalized, dashes replaced with underscores, and be prefixed with
For example, the header
DJANGO_USE_OIDCis set to
True, this settings must be set to the URL that a user can visit to logout. It may be a relative URL.
True, approval requests for recipe changes can only be approved by a different user than the one who created the request. If
False, approval requests can be approved by the same user who created it.
This defaults to
Falsefor local developer instances.
Whether to check that certificates used for recipe signatures are checked for validity. This means that the date ranges in the certificate are checked against the current date. This should likely never be turned off in Production.
If set, when checking certificates for validity, start failing system checks this many days before the certificate would expire.
If this is set to a string, certificates will be checked to be originating from a trusted source, by hashing the root certificate in the x5u certificate chain. For possible values of this setting, see the list of environments.
If this is set to a string, certificates will be checked to have a subject with a matching common name. It is unlikely this should ever change, because the default value matches one that is hard-coded in Firefox.
Access-Control-Allow-Origin: *if set to True. If False, needs the
Originheader needs to match
DJANGO_CORS_ORIGIN_WHITELIST. In all environments other than
Productionthis is set to True.
The CORS headers only apply to URLs that match the regex
List of domains (with or without
https://prefix, but ideally with) that is included in
Access-Control-Allow-Originheader. Ideally this should list all the client-side apps that should be allowed to make remote XHR requests.
['DELETE', 'GET', 'OPTIONS', 'PATCH', 'POST', 'PUT']
List of allowed CORS methods if applicable. Specifically this list is reduced to “read-only” methods when using the
URL where we sent access tokens received as an authorization bearer token. This URL needs to match the OIDC domain used by the client to authenticate. The value for this setting is usually listed in
/.well-known/openid-configurationon the OIDC provider.
The Python import path for the file storage backend to use. For AWS, use the default value of
normandy.base.storage.S3Boto3PermissiveStorage. For GCP, use
When using AWS, it is required to also set
DJANGO_AWS_SECRET_ACCESS_KEYmay also be needed.
When using GCP, it is required to also set
The Access Key ID for an AWS user with read/write access to the S3 bucket. This is required by django-storages to access S3.
The Secret Access Key for the AWS user identified by
DJANGO_AWS_ACCESS_KEY_ID. This is also required by django-storages to access S3.
The name of the S3 bucket to be used to store media files.
The name of the Google storage bucket to be used to store media files.
If true, metrics will be logged in a human readable format. This is on by default in development.
If true, metrics will be sent to the configured statsd server. This is on by default in production.
DJANGO_METRICS_USE_STATSDis enabled, the hostname to send statsd metrics to.
DJANGO_METRICS_USE_STATSDis enabled, the port to send statsd metrics to.
DJANGO_METRICS_USE_STATSDis enabled, metrics sent will be prefixed with this value.
These settings control how Gunicorn starts, when the default command of the provided Dockerfile is used.
The worker class to use. Supported options are
If set to a positive number, after serving this many requests, individual Gunicorn works will be recycled. This can be helpful to avoid potential memory leaks.
The number of workers to use. Recommended values are in the range of
2-4 x $(NUM_CORES).