Configuration
Better Reports is configured via environment variables. Copy the .env.example file to get started:
bash
cp .env.example .envEnvironment Variables
| Variable | Default | Description |
|---|---|---|
NODE_ENV | development | Runtime mode (development / production) |
HOST | 0.0.0.0 | Server bind address |
PORT | 3000 | Server port |
REPORTS_DATA_DIR | ./ | Data directory for templates and assets |
REPORTS_USER | — | Basic auth username (disabled if empty) |
REPORTS_PASS | — | Basic auth password |
CORS_ORIGIN | * | Allowed CORS origin(s) |
RATE_LIMIT_WINDOW_MS | 60000 | Rate limit window in milliseconds |
RATE_LIMIT_MAX | 100 | Max requests per window |
RATE_LIMIT_COMPILE_MAX | 30 | Max compile requests per window |
WORKER_POOL_SIZE | 2 | Number of compilation worker threads |
CACHE_SIZE | 100 | LRU cache size for compiled PDFs |
LOG_LEVEL | info | Pino log level |
Authentication
Enable HTTP Basic Authentication by setting both REPORTS_USER and REPORTS_PASS:
bash
REPORTS_USER=admin
REPORTS_PASS=your-secure-passwordWhen authentication is enabled, the UI will automatically prompt for credentials on 401 responses.
Data Directory Structure
/path/to/data/
├── templates/ # Typst template files (.typ) and metadata (.json)
├── assets/ # Uploaded assets (images, fonts, documents)
└── packages/ # Installed Typst community packagesRate Limiting
The app uses a sliding window rate limiter with separate limits for general requests and compilation:
- General: 100 requests per 60-second window
- Compilation: 30 requests per 60-second window
CORS
By default, all origins are allowed. Restrict to specific origins in production:
bash
CORS_ORIGIN=https://reports.yourdomain.com