Web Dashboard Configuration
This document describes the configuration for the Scion Web Dashboard. The web UI is served by the Go scion binary with the --enable-web flag.
Purpose
Section titled “Purpose”The Web Dashboard is a client-side SPA served by the Go server, which also handles OAuth, session management, SSE real-time events, and API routing. Configuration is managed through CLI flags and environment variables.
Server Flags
Section titled “Server Flags”| Flag | Default | Description |
|---|---|---|
--enable-web | false | Enable the web dashboard. |
--web-port | 8080 | The HTTP port the web UI listens on. |
--session-secret | Secret key for signing session cookies. Must be set in production. |
Environment Variables
Section titled “Environment Variables”Core Settings
Section titled “Core Settings”| Variable | Default | Description |
|---|---|---|
SCION_SERVER_WEB_PORT | 8080 | The HTTP port the web UI listens on (overridden by --web-port). |
SESSION_SECRET | Secret key for signing session cookies (overridden by --session-secret). |
Authentication
Section titled “Authentication”OAuth Providers
Section titled “OAuth Providers”These variables are required for standard user login in production.
| Variable | Description |
|---|---|
SCION_SERVER_AUTH_GOOGLE_CLIENTID | Google OAuth 2.0 Client ID. |
SCION_SERVER_AUTH_GOOGLE_CLIENTSECRET | Google OAuth 2.0 Client Secret. |
SCION_SERVER_AUTH_GITHUB_CLIENTID | GitHub OAuth App Client ID. |
SCION_SERVER_AUTH_GITHUB_CLIENTSECRET | GitHub OAuth App Client Secret. |
SCION_SERVER_AUTH_AUTHORIZEDDOMAINS | Comma-separated list of email domains allowed to sign in. |
Development Authentication
Section titled “Development Authentication”Used for local testing without setting up full OAuth.
| Variable | Default | Description |
|---|---|---|
SCION_DEV_TOKEN | Explicit development token for Hub API access. | |
SCION_DEV_TOKEN_FILE | ~/.scion/dev-token | Path to the token file generated by the Hub. |
Security Settings
Section titled “Security Settings”The Go server includes a pre-configured Content Security Policy (CSP) that allows connections to the Hub and necessary CDNs (Shoelace). HSTS is automatically enabled in production with a 1-year max-age.
Deployment
Section titled “Deployment”The Web Dashboard is served by the same Go binary as the Hub API. In production, enable it with --enable-web and ensure --session-secret and the OAuth provider variables are configured.