In production, the InvenTree web server software does not provide hosting of static files, or user-uploaded (media) files.
When running in production mode (i.e. the
INVENTREE_DEBUG flag is disabled), a separate web server is required for serving static and media files. In
DEBUG mode, the django webserver facilitates delivery of static and media files, but this is explicitly not suitable for a production environment.
You can find further information in the django documentation.
There are many different ways that a sysadmin might wish to handle this - and it depends on your particular installation requirements.
You may use this as a jumping off point, or use an entirely different server setup.
Static files can be served without any need for authentication. In fact, they must be accessible without authentication, otherwise the unauthenticated views (such as the login screen) will not function correctly.
It is highly recommended that the media files are served in such a way that user authentication is required.
Refer to the docker production example for a demonstration of using nginx to serve media files only to authenticated users, and forward authentication requests to the InvenTree web server.