Your config.php file controls how FOSSBilling behaves after installation. You will find it in the installation root of a running instance.
This page highlights the settings administrators most commonly change. For the full inline reference, use the sample config linked below.
Configuration Options
Section titled “Configuration Options”Security Settings
Section titled “Security Settings”Control security behavior:
| Setting | Default | Description |
|---|---|---|
security.mode | strict | strict (recommended) or regular. Strict enables SameSite=Strict and HttpOnly cookies. |
security.force_https | true | Force HTTPS connections. Recommended for production. |
security.session_lifespan | 7200 | Session duration in seconds (default: 2 hours). |
Encryption Key
Section titled “Encryption Key”salt— Used for reversible encryption. Keep this secret and don't change it after installation.
url— Your full FOSSBilling URL with trailing slash (e.g.,https://billing.example.com/)admin_area_prefix— Admin panel path (default:/admin)
Debugging
Section titled “Debugging”debug— Show detailed error messages. Disable in production.log_stacktrace— Include stack traces in logs (requiresdebug: true)stacktrace_length— Maximum stack trace length
Updates
Section titled “Updates”update_branch— Which updates to receive:"release"— Stable releases only (recommended for production)"preview"— Development builds (may have bugs)
Maintenance Mode
Section titled “Maintenance Mode”Temporarily disable public access. Use allowed_urls for endpoints that must stay reachable and allowed_ips for trusted networks that should bypass maintenance mode.
'maintenance_mode' => [ 'enabled' => true, 'allowed_urls' => ['/api/guest/*'], 'allowed_ips' => ['192.168.1.0/24'],],Cron Settings
Section titled “Cron Settings”disable_auto_cron— Disable automatic cron execution when admins log in
Localization
Section titled “Localization”| Setting | Default | Notes |
|---|---|---|
i18n.locale | en_US | Default language code |
i18n.timezone | UTC | Default timezone |
i18n.date_format | medium | Options: none, short, medium, long |
i18n.time_format | short | Options: none, short, medium, long |
i18n.datetime_pattern | — | Custom date/time pattern |
Data & Logging
Section titled “Data & Logging”| Setting | Description |
|---|---|
path_data | Where sensitive data is stored |
path_logs | Log file location |
log_to_db | Also log to database (not fully implemented) |
Database
Section titled “Database”'db' => [ 'type' => 'mysql', 'host' => '127.0.0.1', 'port' => '3306', 'name' => 'fossbilling', 'user' => 'fossbilling_user', 'password' => 'your_password',],Twig (Templates)
Section titled “Twig (Templates)”| Setting | Description |
|---|---|
twig.debug | Enable Twig debug mode |
twig.auto_reload | Auto-reload templates on changes |
twig.cache | Template cache directory |
API Settings
Section titled “API Settings”Control API access and rate limiting. Use require_referrer_header to lock browser-originated requests to your install URL, allowed_ips for explicit allowlists, and the rate_* values to tune throttling.
'api' => [ 'require_referrer_header' => true, 'allowed_ips' => [], 'rate_span' => 60, 'rate_limit' => 100, 'throttle_delay' => 2, 'rate_span_login' => 60, 'rate_limit_login' => 20, 'CSRFPrevention' => true,],Environment Variables
Section titled “Environment Variables”Some settings can be overridden via environment variables:
APP_ENV=dev # Enable development modeAPP_DEBUG=true # Enable debug modeMaking Changes
Section titled “Making Changes”- Edit
config.phpwith a text editor - Save the file
- Clear the cache: System → Tools → Clear cache (or delete
/data/cache/) - Test your changes