All runtime configuration for Gestor Financiero lives in a singleDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/JDzuu/AplicativoWEB_GestorFinanciero/llms.txt
Use this file to discover all available pages before exploring further.
.env file at the project root. The .env.example file in the repository lists every available variable with comments explaining each one — copy it to .env and edit it before starting the servers. Variables prefixed with VITE_ are read by the React frontend at build time via Vite; all other variables are read by the FastAPI backend at startup via python-dotenv. None of the variables are required to have a value for local development; the defaults are designed to work out of the box with SQLite.
Backend Variables
Controls the deployment mode. Accepted values are
desarrollo and produccion.desarrollo— The interactive API docs (/docs,/redoc,/openapi.json) are publicly accessible. HSTS and strict CSP headers are not sent. Session cookies do not require HTTPS.produccion— API docs are hidden.Strict-Transport-Security(HSTS, 1 year, includeSubDomains, preload) and a strictContent-Security-Policyare added to every response. Session cookies are markedSecure(HTTPS-only).
PostgreSQL connection string. When this variable is empty or not set, the application automatically uses a local SQLite file at The backend detects the engine at startup and prints which database it is using:With PostgreSQL, a connection pool of 1–10 connections is opened automatically. With SQLite, each request opens and closes its own connection.
backend/data/proyectos.db.Comma-separated list of origins that the browser is allowed to make cross-origin requests from. This value is passed directly to FastAPI’s The backend allows
CORSMiddleware.GET, POST, PUT, DELETE, and OPTIONS methods, and accepts Authorization, Content-Type, and X-CSRF-Token headers from allowed origins. Credentials (cookies) are also permitted.Comma-separated list of allowed Leave this variable unset or empty in development; it has no effect in
Host header values, enforced by FastAPI’s TrustedHostMiddleware. This variable is only applied when ENTORNO=produccion. Requests whose Host header does not match this list are rejected with a 400 response.desarrollo mode.Username for the initial administrator account. This value is only used once — when the application starts for the first time and finds an empty database. It has no effect on subsequent startups.
Display name for the initial administrator account. Like
ADMIN_USUARIO, this is only applied during the very first startup against an empty database.Password for the initial administrator account.
- If you provide a value, that exact string will be set as the admin password (must be at least 8 characters).
- If you leave it blank (the default), a cryptographically random 12-character password is generated using
secrets.token_urlsafe(12)and printed to the server console. It is shown only once and never stored in plain text.
Rate limit applied to all routes by IP address, using SlowAPI backed by the storage configured in Requests exceeding this limit receive a
RATE_LIMIT_STORAGE. The format follows the SlowAPI/limits convention: {count}/{period} where period can be second, minute, hour, or day.429 Too Many Requests response with the message "Demasiadas peticiones. Espera un momento e inténtalo de nuevo.".Stricter rate limit applied specifically to the
POST /login endpoint. This acts as a second layer of brute-force protection on top of the per-user lockout mechanism (which triggers after 5 failed attempts and locks the account for 15 minutes).Storage backend URI for SlowAPI’s rate limit counters. The default
memory:// stores counters in-process, which is sufficient for a single-process deployment. For multi-worker or multi-server deployments, use a shared Redis URI.Maximum allowed request body size in bytes. Requests whose
Content-Length header exceeds this value are rejected with a 413 Request Entity Too Large response before the body is read, protecting against memory exhaustion.The default is 1048576 bytes (1 MB). Adjust upward only if your workflow requires sending larger payloads.Frontend Variable
The base URL of the FastAPI backend, consumed by the React frontend at build time. Vite injects this into the bundle as This must match one of the origins listed in
import.meta.env.VITE_API_URL.ORIGENES_PERMITIDOS on the backend.Production .env Example
Below is an annotated .env suitable for a production deployment, with PostgreSQL, HTTPS, and a custom domain: