Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

SiteConfig schema

SiteConfig is the site-scoped, mutable config tier: domains, transport security, visitor access control, handler caps, compression, and the gateway. It is stored as JSON in the KV (not in a deployment manifest), so it changes independently of content and does not roll back with a deployment. Most of it is managed through subcommands rather than edited by hand.

The tiers, contrasted:

Routing (project.cfg)SiteConfig (KV)
ScopeOne deploymentThe whole site
LifecycleImmutable, rolls back with contentMutable, independent
Edited viaproject.cfg + syncboatramp domain / access / gateway / API

Top-level fields

FieldTypeDefaultManaged by
versionu321— (pinned at 1)
domainsDomainConfigemptyboatramp domain
securitySecurityConfigoffAPI / transport security
accessAccessConfigopenboatramp access
handlersHandlersSiteConfig?None (disabled)handler caps
compressionCompressionConfigoffboatramp compression
gatewayGatewayConfig?Noneboatramp gateway

domains

The hostnames a site answers to (virtualhost routing). See Serve a custom domain.

FieldTypeDefaultDescription
primarystring?Canonical hostname (example.com).
aliaseslist<string>[]Additional exact hostnames (www.example.com).
wildcardslist<string>[]Wildcard patterns (*.example.com), matched by suffix at any depth.
canonical_redirectboolfalse301 exact-alias hosts to primary (apex↔www). Wildcard hosts serve as-is.

security

Site-tier transport security. Off by default; opt in once TLS is in front (directly or via a terminating proxy). The effective scheme is read from X-Forwarded-Proto behind a trusted proxy. See Harden the security posture.

FieldTypeDefaultDescription
https_redirectboolfalse301 plain-HTTP requests to HTTPS.
hstsHsts?Send Strict-Transport-Security on HTTPS responses.
cspstring?Content-Security-Policy header value (opt-in; no safe default for static sites).
frame_optionsstring?X-Frame-Options value (DENY, SAMEORIGIN).

hsts

FieldTypeDefaultDescription
max_ageu6431536000max-age in seconds (one year).
include_subdomainsbooltrueApply to subdomains.
preloadboolfalseRequest browser-preload-list inclusion (hard to undo — explicit opt-in).

access

Visitor access control — WAF, IP rules, rate limiting, basic auth, trusted-proxy handling. This is the full mechanism for restricting who may view a site; it is separate from control-plane RBAC. Managed with boatramp access and documented in Restrict visitor access.

handlers

Site-scoped handler policy: the capability allowlist and resource caps a deployment’s requested handler config is intersected against at activation (deny by default). None disables handlers for the site entirely.

FieldTypeDefaultDescription
enabledboolfalseWhether handlers run for this site at all.
allow_importslist<string>[]Interfaces handlers on this site may import (subset of the import vocabulary).
max_memory_mbu32?Cap on per-handler memory (MiB).
max_timeout_msu32?Cap on per-handler wall-clock timeout (ms).
max_concurrencyu32?Cap on concurrent invocations for the site.
max_fuelu64?Cap on per-handler CPU fuel; a handler’s own fuel may only lower it.
secretsmap<string, string>{}Env-var name → secret reference (a host env-var name, resolved server-side — never a literal secret).
background_aliaseslist<string>[]Named aliases (besides current) whose deployments also run consumers and crons. See Run background work.
max_stream_connectionsu32?Cap on concurrent SSE/WebSocket connections for the site.
max_log_rateu32?Cap on captured guest log lines per second (over-cap lines are dropped, counted).

A handler that requests an import not in allow_imports, or exceeds a cap, is rejected at activation — not at request time. See Handler host bindings.

compression

On-the-fly response compression. Opt-in, and complementary to serving a precompressed variant. A response is compressed only when it has no precompressed variant or existing Content-Encoding, its type is compressible, and (when the length is known) it is at least min_size. Credentialed responses are skipped for BREACH safety. See Compress responses.

FieldTypeDefaultDescription
enabledboolfalseMaster toggle.
min_sizeu641024Don’t compress a response with a Content-Length below this (bytes). Streaming responses with no declared length are always eligible.

gateway

Reverse-proxy gateway for publishing private services. None means no gateway routes. Declaring an upstream here is what authorizes reaching a private address — the SSRF guard stays public-only otherwise. Fields cover upstream pools, load balancing, and health checking; see Expose a private service through the gateway.