From 553ff6523f9d01f296768df88eedbecbd74197bc Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Mon, 11 Dec 2023 02:03:48 +0100 Subject: [PATCH] documented `UPTIME_KUMA_WS_ORIGIN_CHECK` (#72) --- Environment-Variables.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Environment-Variables.md b/Environment-Variables.md index b2fa715..9f3c4f0 100644 --- a/Environment-Variables.md +++ b/Environment-Variables.md @@ -22,6 +22,7 @@ node server/server.js --host=127.0.0.1 --port=8080 | `UPTIME_KUMA_SSL_KEY_PASSPHRASE` or `SSL_KEY_PASSPHRASE` | `--ssl-key-passphrase=` | (1.21.1) SSL Key Passphrase | | | `UPTIME_KUMA_CLOUDFLARED_TOKEN` | `--cloudflared-token=` | (1.14.0) Cloudflare Tunnel Token | | | `UPTIME_KUMA_DISABLE_FRAME_SAMEORIGIN` | `--disable-frame-sameorigin=` | By default, Uptime Kuma is not allowed in iframe if the domain name is not the same as the parent. It protects your Uptime Kuma to be a phishing website. If you don't need this protection, you can set it to `true` | `false` | +| `UPTIME_KUMA_WS_ORIGIN_CHECK` | | By default, Uptime Kuma is verifying that the websockets [`ORIGIN`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin)-Header matches your servers hostname. If you don't need this protection, you can set it to `bypass`. See [GHSA-mj22-23ff-2hrr](https://github.com/louislam/uptime-kuma/security/advisories/GHSA-mj22-23ff-2hrr) for further context. | `cors-like` | | `UPTIME_KUMA_ALLOW_ALL_CHROME_EXEC` | `--allow-all-chrome-exec=` | (1.23.0) Allow to specify any executables as Chromium | `0` | | `NODE_EXTRA_CA_CERTS` | | Add your self-signed ca certs. (e.g. /cert/path/CAcert.pem) [Read more](https://github.com/louislam/uptime-kuma/issues/1380) | | | `NODE_TLS_REJECT_UNAUTHORIZED` | | Ignore all TLS errors | `0` |