You can modify the default location of the instance folder and/or static folder by setting the environment variables:

  • INVENIO_INSTANCE_PATH (default: <sys.prefix>/var/instance/)
  • INVENIO_STATIC_FOLDER (default: <instance-path>/static/)

Instance specific configuration is loaded from:

  • <instance-path>/invenio.cfg
  • via environment variables prefixed with INVENIO_ (e.g. INVENIO_SQLALCHEMY_DATABASE_URI)

Templates are loaded from:

  • <instance-path>/templates/

Invenio App configuration.

Invenio-App is partially overwriting default configuration of Limiter and Talisman applications. You can find below more details about which configuration are set.

For more information, please also see Flask-Limiter and Flask-Talisman websites.

invenio_app.config.APP_ALLOWED_HOSTS = None

A list of host/domain names that can be served.

This is a security measure to prevent HTTP Host header attacks, which are possible even under many seemingly-safe web server configurations.

By default all hosts are allowed. Values in this list can be fully qualified names (e.g. ‘’). The validation only applies to

In addition to this configuration variable, you should make sure that your web server does not route requests to the application with an invalid Host header.

invenio_app.config.APP_DEFAULT_SECURE_HEADERS = {'content_security_policy_report_uri': None, 'strict_transport_security_max_age': 31556926, 'frame_options_allow_from': None, 'force_https_permanent': False, 'force_file_save': False, 'session_cookie_http_only': True, 'session_cookie_secure': True, 'strict_transport_security': True, 'strict_transport_security_preload': False, 'strict_transport_security_include_subdomains': True, 'content_security_policy_report_only': False, 'frame_options': 'sameorigin', 'content_security_policy': {'default-src': "'self'"}, 'force_https': True}

Talisman default Secure Headers configuration.

As default, invenio assumes that HTTPS is enabled. If you are not using SSL, then remember to disable the force_https and session_cookie_secure configuration options related to HTTPS.

Please note that, as default Talisman behaviour, if Flask DEBUG mode is on, then also many security barriers are automatically switched off (e.g. force_https and session_cookie_secure).


Overwrite Flask-Talisman configuration.

from flask import Flask
from flask_talisman import Talisman

app = Flask(__name__)
talisman = Talisman(app)

def defenders():
    """Override policies for the specific view."""
    return 'Jessica Jones'
invenio_app.config.APP_ENABLE_SECURE_HEADERS = True

Enable Secure Headers. (Default: True)

In case you want to disable completely Talisman, you can set to False.

Remember that, for development purpose, setting `DEBUG = True` is already enough to disable any side effects such as force https.



invenio_app.config.RATELIMIT_DEFAULT = '5000/hour'

Default rate limit.


Overwrite Flask-Limiter <>`_ configuration.

invenio_app.config.RATELIMIT_HEADERS_ENABLED = True

Enable rate limit headers. (Default: True)


Overwrite Flask-Limiter <>`_ configuration.