Skip to main content
Phisherman reads the following environment variables at startup. Required variables must be set before starting the server — the process will fail to connect to Redis if they are absent.

Variable reference

VariableRequiredDefaultDescription
UPSTASH_REDIS_REST_URLYesUpstash Redis REST endpoint URL
UPSTASH_REDIS_REST_TOKENYesUpstash Redis REST auth token
GOOGLE_SAFE_API_KEYNoGoogle Safe Browsing API v4 key. If missing, the checker logs an error and returns score 0.
PHISHTANK_API_URLNohttps://data.phishtank.com/data/online-valid.csv.gzOverride the PhishTank feed URL. The default streams the compressed CSV dump.
PORTNo4000HTTP port the server listens on.
SCAN_CACHE_SAFE_RESULTSNofalseSet to "true" to cache safe verdict results in Redis. Disabled by default to reduce Redis storage.
WEBRISK_API_KEYNoGoogle Web Risk API key. Used by the WebRiskChecker, which is present in source (src/checkers/googleWebRisk.ts) but currently disabled and not registered in the checker pipeline.

Example .env file

# Required
UPSTASH_REDIS_REST_URL=https://<your-instance>.upstash.io
UPSTASH_REDIS_REST_TOKEN=<your-token>

# Optional
GOOGLE_SAFE_API_KEY=AIza...
PHISHTANK_API_URL=https://data.phishtank.com/data/online-valid.csv.gz
PORT=4000
SCAN_CACHE_SAFE_RESULTS=false

# Disabled checker (not active by default)
# WEBRISK_API_KEY=<your-google-web-risk-key>
Never commit .env to version control. Add it to .gitignore before your first commit. Upstash tokens grant full read/write access to your Redis database.
If GOOGLE_SAFE_API_KEY is not set, checkSafeBrowsing logs "safe browsing key missing" to stderr and returns { score: 0 }. The server continues to operate normally — the Google Safe Browsing checker is simply skipped.
SCAN_CACHE_SAFE_RESULTS is off by default because safe verdicts are high-volume and low-value: caching them would consume significant Redis storage without meaningfully improving performance. Enable it only if you expect repeated scans of the same safe URLs and want to reduce latency.