Security settings
This document contains all parameters and recommendations that may affect the security of various components of the Passwork infrastructure (web server, PHP, database). Setting maximum values is not always required and may lead to inconvenience of using Passwork by end users, as well as lack of support or compatibility with older operating systems and components.
Change the value as recommended by Passwork technical support.
Parameter name | Significance | Important | Commentary |
expose_php | Off | Yes | Hides PHP version information in web server response headers |
display_errors | Off | Yes | Disables the output of PHP error information. Should always be Off, as all errors are written to log files. |
post_max_size | 10MB | | Limits the maximum size of data received from the client, which protects against DOS attacks. |
max_execution_time | 120 to 600 | | Maximum script execution time in seconds. If necessary, you can increase this time |
max_input_time | 120 | | Maximum time to read data from the client in seconds. |
memory_limit | 256MB to 2GB | | Maximum amount of RAM that can be used by the script. You can increase it if necessary |
max_input_vars | 1000 | | Number of parameters in POST request. You can increase it if you have problems with importing major CSV or JSON files. |
session.cookie_lifetime | 0 | | When set to 0, the browser does not store cookies and clears them when the browser restarts |
session.use_only_cookies | On | Yes | The session will only pass through cookies |
session.use_strict_mode | On | Yes | PHP will not accept cookies with a session number that is set by the user and not issued by PHP. Protects against Cookie Fixation |
session.cookie_httponly | On | Yes | Denies access to cookies from JavaScript |
session.cookie_secure | On | Yes | Cookies will only be accessible via HTTPS |
session.use_trans_sid | Off | Yes | Prohibits the session number from being sent via GET parameters |
session.cache_limiter | nocache | | Disables the cache |
session.sid_length | 100 | Yes | Sets the length of the session. A long session number protects the session from being overridden (maximum 256). |
session.sid_bits_per_character | 5 | Yes | Maximum character variation in session number. '4' (0-9, a-f), '5' (0-9, a-v), '6' (0-9, a-z, A-Z, "-", ","). The value 6 is not supported |
session.cookie_domain | | | If a single domain name is used, it can be specified in this parameter |
💡 For the production environment it is mandatory to configure operation over HTTPS protocol.
Leave support for TLS 1.2 and 1.3 only
Recommended set of crypto algorithms (older operating systems and browsers such as IE6/WinXP will not be supported)
The HTTP Strict Transport Security extension is designed to keep the "this site works only via HTTPS" setting in the browser. It is no longer possible to attack such a resource with the help of "man in the middle" (MITM), because in case of certificate substitution the browser will immediately close the connection and will not allow you to continue working with the forged certificate.
The max-age parameter specifies how many seconds the HSTS header should be cached in the browser. It is recommended to specify 31536000 (1 year) and higher.
With this extension the resource administrator can specify which certificate authority can be used to sign his certificates. To enable this extension, we need to get the fingerprint of the certificate authority that issued our certificate and encode it in base64. The easiest way to do it is as follows:
Here cert.pem is the first certificate in the chain that belongs to the certification centre. On the output we will get a base64 string. Turn on the extension and specify the fingerprint of our CA (don't forget to specify your base64 fingerprint):
The max-age parameter specifies how many seconds the fingerprint should be cached in the browser cache. It is recommended to specify not too major value, because in case of CA change clients will not be able to access your resource before the timeout expires.
Parameter name | Significance | Commentary |
Section [crypt] | | |
secret | Do not change manually | Server database encryption key. Generated automatically at the first start of Passwork. |
disableClientSide | Switch on if necessary | Off — enables encryption mode on the client On — without encryption on the client (default value) |
algorithm | It is recommended not to change | You can specify an encryption algorithm from the openssl library |
source | | Example config/config.ini … [crypt] source = key.ini … config/key.ini [crypt] secret = base64:…. |
Section [application] | | |
csrf | On | Enables sending CSRF token on every AJAX request |
disableEncodeResponse | Do not specify | By default the server encodes all client data in base64 encoding. The value On disables this mode (for debugging only). |
Section [mongo] | | |
source | | Allows you to put the connection string in a separate file config/config.ini … [mongo] source = mongo.ini … config/mongo.ini [mongo] connectionString = mongodb://db:27017 dbname = production … |
Without section | | |
devmode | Do not specify | Enables debugging mode |
Parameter name | Significance | Commentary |
Additional protection and cookie signature | Enable | PHP session cookies are signed using entropy and data from the HTTP request header, including the user's IP. This increases protection against session number hijacking, as well as against transfer (theft) of cookies between browsers. Each user will automatically lose a session when changing IP address. |
Mandatory two-factor authentication | Enable | All users will be required to configure the 2FA before starting work |
CSRF token lifetime after last activity in hours | 24 | |
API key rotation | Enable | All client applications will automatically lose the session and require you to log in again. |
Self-recovery of authorisation password | Forbidden | Only a Passwork administrator will be able to reset a forgotten user authorisation password |
Automatic logout when inactive | | Passwork will perform an automatic user logout if no requests come from the user |
Using API | | Allows you to disable the use of API. All client applications (mobile applications, browser extensions) use API. With the API disabled, the user will only be able to log in to the web interface. |
Recommendations for additional customisation: