Security settings

general information on this page we listed the parameters and recommendations that may affect the security of various passwork infrastructure components (web server, php, database, etc ) setting maximum values is not always recommended, as it may make passwork less convenient for end users, as well as cause compatibility issues with older operating systems and components change the values as recommended by passwork technical support php settings (php ini) parameter name value important comment expose php off yes hides php version in web server response headers display errors off yes disables the output of php error information should always be off, as all errors are written to log files post max size 10mb limits the maximum size of data received from the client, which protects against dos attacks max execution time 120 to 600 maximum script execution time (in seconds) max input time 120 maximum time to read data from the client (in seconds) memory limit 256mb to 2gb maximum amount of ram that the script can use max input vars 1000 number of parameters in post request you can increase it if you have problems with importing large csv or json files session cookie lifetime 0 when set to 0, the browser does not store cookies and clears them on restart session use only cookies on yes the session ids will only be sent through cookies session use strict mode on yes php will not accept cookies with a session number that is set by the user and not issued by php protects against session fixation attacks session cookie httponly on yes denies access to cookies from javascript session cookie secure on yes cookies will only be accessible via https session use trans sid off yes prohibits the session id from being sent via get parameters session cache limiter nocache disables the cache session sid length 22 to 256 yes sets the length of a session id a longer number protects the session from being overridden session sid bits per character 5 yes maximum character variation in session id '4' (0 9, a f), '5' (0 9, a v), '6' (0 9, a z, a z, " ", ",") the value 6 is not supported session cookie domain if a single domain name is used, it can be specified in this parameter web server configuring ssl for the production environment it is mandatory to configure operation over https leave support for tls 1 2 and 1 3 only ssl protocols tlsv1 2 tlsv1 3; recommended set of cryptographic algorithms (older operating systems and browsers such as ie6 or windows xp are not supported) ssl ciphers ecdhe rsa aes256 gcm sha512\ dhe rsa aes256 gcm sha512\ ecdhe rsa aes256 gcm sha384\ dhe rsa aes256 gcm sha384\ ecdhe rsa aes256 sha384; http strict transport security the http strict transport security extension is designed to support this site works only via https setting in browsers it is no longer possible to attack such a resource using a man in the middle attack, because in case of certificate substitution the browser will immediately close the connection and will not allow you to continue using the forged certificate the max age parameter specifies for how many seconds the hsts header should be cached in the browser it is recommended to set it at 31536000 (1 year) or higher add header strict transport security max age=31536000; http public key pinning extension with this extension the resource administrator can specify which certificate authority can be used to sign the certificates to enable this extension, you need to get the fingerprint of the certificate authority that issued our certificate and encode it in base64 the easiest way to do it is as follows openssl x509 in cert pem pubkey noout | \openssl rsa pubin outform der | \openssl dgst sha256 binary | openssl enc base64 here cert pem is the first certificate in the chain that belongs to the certification centre on the output you will get a base64 string turn on the extension and specify the fingerprint of your ca (don't forget to the base64 fingerprint) the max age parameter specifies for how many seconds the fingerprint should be cached in the browser cache it is recommended to use a value that is not too big, since if you change the ca, users will not be able to access passwork before the timeout expires setting up passwork add header public key pins 'pin sha256="5c8kvu039kouvrl52d0ezsgf4onjo4khs8tmytlv3nu="; max age=1512000'; configuring security settings in config ini parameter name value comment \[crypt] section secret do not change manually server database encryption key generated automatically at the first passwork launch disableclientside switch to off if necessary toggles clientside encryption set to on by default algorithm recommended to leave unchanged you can specify an encryption algorithm from the openssl library source example config/config ini … \[crypt] source = key ini … config/key ini \[crypt] secret = base64 … \[application] section csrf on sends a csrf token for every ajax request disableencoderesponse do not specify by default the server encodes all client data in base64 the value on disables this mode (for debugging only) \[mongo] section source allows you to put the connection string in a separate file config/config ini … \[mongo] source = mongo ini … config/mongo ini \[mongo] connectionstring = mongodb //db 27017 dbname = production … without section devmode do not specify enables debugging mode passwork system parameters parameter name value comment additional protection and cookie signatures enable php session cookies are signed using entropy and data from the http request header, including the user's ip this increases protection against session hijacking and transfer of cookies between browsers the session will automatically close when a user's ip gets changed mandatory two factor authentication enable all users will be required to configure 2fa before joining csrf token lifetime after last activity 24 set in hours api key rotation enable all client applications will automatically lose the session and require logging in again self recovery of authorisation password forbidden only passwork administrator will be able to reset a user's authorisation password automatic logout when inactive passwork will automatically log users out if no requests come using api allows you to disable the use of api all client applications (mobile applications, browser extensions) use api with the api disabled, the user will only be able to log in to the desktop version configuring the mongodb database recommendations for additional customisation examples of authorization settings docid\ nnxs2sinojz0d74hfm4bp