Skip to main content

Environment Variables

OSINT Hub uses environment variables for configuration management. Copy .env.example to .env and customize the values: 
cp .env.example .env

Required Variables

SECRET_KEY
string
required
Django secret key for cryptographic signing. Must be unique and kept secret.
SECRET_KEY=your-secret-key-here
Never commit your SECRET_KEY to version control. Generate a unique key for each environment.
Generate a secure secret key:
python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())"
DEBUG
boolean
default:"True"
Enable or disable debug mode. Set to False in production.
DEBUG=True  # Development
DEBUG=False # Production
Never run production with DEBUG=True. This exposes sensitive information and security risks.
ALLOWED_HOSTS
string
required
Comma-separated list of allowed hostnames for the application.
# Development
ALLOWED_HOSTS=localhost,127.0.0.1

# Production
ALLOWED_HOSTS=example.com,www.example.com
Django will reject requests with a Host header that doesn’t match these values.
CSRF_TRUSTED_ORIGINS
string
Comma-separated list of trusted origins for CSRF protection. Required for production.
# Development
CSRF_TRUSTED_ORIGINS=http://localhost:8000

# Production
CSRF_TRUSTED_ORIGINS=https://example.com,https://www.example.com
Include the full URL scheme (http:// or https://). Multiple origins are supported.
DATABASE_URL
string
default:"sqlite:///db.sqlite3"
Database connection string in URL format.
DATABASE_URL=sqlite:///db.sqlite3
The format is: protocol://user:password@host:port/database

Optional Variables

SEARCH_RESULTS_DIR
string
default:"~/.local/share/osint_hub/search_results"
Directory path for storing username search results (Sherlock output).
SEARCH_RESULTS_DIR=/var/lib/osint_hub/results
The directory will be created automatically if it doesn’t exist.

Example Configuration

Development Environment

.env (Development)
SECRET_KEY=django-insecure-dev-key-change-in-production
DEBUG=True
ALLOWED_HOSTS=localhost,127.0.0.1
CSRF_TRUSTED_ORIGINS=http://localhost:8000
DATABASE_URL=sqlite:///db.sqlite3

Production Environment

.env (Production)
SECRET_KEY=your-very-long-random-secret-key-here
DEBUG=False
ALLOWED_HOSTS=osinthub.example.com,www.osinthub.example.com
CSRF_TRUSTED_ORIGINS=https://osinthub.example.com,https://www.osinthub.example.com
DATABASE_URL=postgres://osint_user:secure_password@localhost:5432/osint_hub_db
SEARCH_RESULTS_DIR=/var/lib/osint_hub/search_results

Django Settings Overview

Key Django settings are configured in osint_hub/settings.py:

Static Files

Static files are served using WhiteNoise in production:
settings.py
STATIC_URL = "static/"
STATIC_ROOT = BASE_DIR / "staticfiles"
STATICFILES_DIRS = [BASE_DIR / "static"]

STORAGES = {
    "staticfiles": {
        "BACKEND": "whitenoise.storage.CompressedManifestStaticFilesStorage",
    },
}
Run python manage.py collectstatic before deploying to production.

Media Files

Uploaded files (images, videos, PDFs for EXIF analysis) are stored in:
settings.py
MEDIA_URL = "/media/"
MEDIA_ROOT = BASE_DIR / "media"
Maximum upload size is 50 MB. Files are temporarily stored during metadata extraction and can be deleted after processing.

Celery Configuration

Celery is configured to use Redis as the message broker:
settings.py
CELERY_BROKER_URL = "redis://localhost:6379/0"
CELERY_RESULT_BACKEND = "redis://localhost:6379/0"
CELERY_TASK_TIME_LIMIT = 30 * 60  # 30 minutes
CELERY_RESULT_EXPIRES = 3600  # 1 hour
Start Celery worker: 
celery -A osint_hub worker --loglevel=info

ExifTool Path

The application automatically detects ExifTool at common locations:
settings.py
EXIFTOOL_PATH = "/usr/bin/exiftool"  # Default on Ubuntu

if not os.path.exists(EXIFTOOL_PATH):
    EXIFTOOL_PATH = "/usr/local/bin/exiftool"  # Alternative
If ExifTool is installed in a custom location, you can override this in settings.py.

Security Settings (Production)

When DEBUG=False, the following security settings are automatically enabled:
settings.py
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
X_FRAME_OPTIONS = "DENY"
SECURE_HSTS_SECONDS = 31536000  # 1 year
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True

Content Security Policy (CSP)

OSINT Hub includes strict CSP headers to prevent XSS attacks:
settings.py
CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = (
    "'self'",
    "https://cdn.jsdelivr.net",  # Bootstrap JS
)
CSP_STYLE_SRC = (
    "'self'",
    "https://cdn.jsdelivr.net",  # Bootstrap CSS
)
CSP_IMG_SRC = (
    "'self'",
    "data:",
    "https://*.openstreetmap.org",  # Map tiles
)
CSP is enforced by default (CSP_REPORT_ONLY = False). If you experience issues with external resources, check the browser console for CSP violations.

Installed Applications

The following Django apps are included:
  • email_holehe - Email search using Holehe
  • ExifTool - EXIF metadata extraction
  • PhoneSearch - Phone number investigation
  • UsernameSearch - Username search using Sherlock
  • HashTool - Hash generation and verification
  • IPLookup - IP address geolocation

Internationalization

Default language and timezone:
settings.py
LANGUAGE_CODE = "es-mx"
TIME_ZONE = "America/Mexico_City"
USE_I18N = True
USE_TZ = True
Modify these values based on your locale preferences.

Proxy Configuration

If deploying behind a reverse proxy (Nginx, Apache), ensure these settings are enabled:
settings.py
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
USE_X_FORWARDED_HOST = True
USE_X_FORWARDED_PORT = True
This allows Django to properly detect the original protocol, host, and port.

Verification

Verify your configuration: 
# Check for configuration errors
python manage.py check

# Check for deployment issues
python manage.py check --deploy
The --deploy flag performs additional security checks for production deployments.

Next Steps

Installation

Complete the installation steps

Production Deployment

Deploy to production with Gunicorn

Build docs developers (and LLMs) love

Get started for freeTalk to us