> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.com/joey727/Phisherman/llms.txt
> Use this file to discover all available pages before exploring further.

# Environment variables

> All environment variables Phisherman reads at startup and runtime.

Phisherman reads the following environment variables at startup. Required variables must be set before starting the server — the process will fail to connect to Redis if they are absent.

## Variable reference

| Variable                   | Required | Default                                               | Description                                                                                                                                                                            |
| -------------------------- | -------- | ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `UPSTASH_REDIS_REST_URL`   | Yes      | —                                                     | Upstash Redis REST endpoint URL                                                                                                                                                        |
| `UPSTASH_REDIS_REST_TOKEN` | Yes      | —                                                     | Upstash Redis REST auth token                                                                                                                                                          |
| `GOOGLE_SAFE_API_KEY`      | No       | —                                                     | Google Safe Browsing API v4 key. If missing, the checker logs an error and returns score `0`.                                                                                          |
| `PHISHTANK_API_URL`        | No       | `https://data.phishtank.com/data/online-valid.csv.gz` | Override the PhishTank feed URL. The default streams the compressed CSV dump.                                                                                                          |
| `PORT`                     | No       | `4000`                                                | HTTP port the server listens on.                                                                                                                                                       |
| `SCAN_CACHE_SAFE_RESULTS`  | No       | `false`                                               | Set to `"true"` to cache `safe` verdict results in Redis. Disabled by default to reduce Redis storage.                                                                                 |
| `WEBRISK_API_KEY`          | No       | —                                                     | Google Web Risk API key. Used by the `WebRiskChecker`, which is present in source (`src/checkers/googleWebRisk.ts`) but currently disabled and not registered in the checker pipeline. |

## Example `.env` file

```bash theme={null}
# Required
UPSTASH_REDIS_REST_URL=https://<your-instance>.upstash.io
UPSTASH_REDIS_REST_TOKEN=<your-token>

# Optional
GOOGLE_SAFE_API_KEY=AIza...
PHISHTANK_API_URL=https://data.phishtank.com/data/online-valid.csv.gz
PORT=4000
SCAN_CACHE_SAFE_RESULTS=false

# Disabled checker (not active by default)
# WEBRISK_API_KEY=<your-google-web-risk-key>
```

<Warning>
  Never commit `.env` to version control. Add it to `.gitignore` before your first commit. Upstash tokens grant full read/write access to your Redis database.
</Warning>

<Note>
  If `GOOGLE_SAFE_API_KEY` is not set, `checkSafeBrowsing` logs `"safe browsing key missing"` to stderr and returns `{ score: 0 }`. The server continues to operate normally — the Google Safe Browsing checker is simply skipped.
</Note>

<Tip>
  `SCAN_CACHE_SAFE_RESULTS` is off by default because safe verdicts are high-volume and low-value: caching them would consume significant Redis storage without meaningfully improving performance. Enable it only if you expect repeated scans of the same safe URLs and want to reduce latency.
</Tip>
