Security settings
On this page we listed the parameters and recommendations that may affect the security of various Passwork infrastructure components (web server, PHP, database, etc.). Setting maximum values is not always recommended, as it may make Passwork less convenient for end users, as well as cause compatibility issues with older operating systems and components.
Change the values as recommended by Passwork technical support
Parameter name | Value | Important | Comment |
|---|---|---|---|
expose_php | Off | Yes | Hides PHP version in web server response headers. |
display_errors | Off | Yes | Disables the output of PHP error information. Should always be Off, as all errors are written to log files. |
post_max_size | 10MB | | Limits the maximum size of data received from the client, which protects against DOS attacks. |
max_execution_time | 120 to 600 | | Maximum script execution time (in seconds). |
max_input_time | 120 | | Maximum time to read data from the client (in seconds). |
memory_limit | 256MB to 2GB | | Maximum amount of RAM that the script can use. |
max_input_vars | 1000 | | Number of parameters in POST request. You can increase it if you have problems with importing large CSV or JSON files. |
session.cookie_lifetime | 0 | | When set to 0, the browser does not store cookies and clears them on restart. |
session.use_only_cookies | On | Yes | The session IDs will only be sent through cookies. |
session.use_strict_mode | On | Yes | PHP will not accept cookies with a session number that is set by the user and not issued by PHP. Protects against session fixation attacks. |
session.cookie_httponly | On | Yes | Denies access to cookies from JavaScript. |
session.cookie_secure | On | Yes | Cookies will only be accessible via HTTPS. |
session.use_trans_sid | Off | Yes | Prohibits the session ID from being sent via GET parameters. |
session.cache_limiter | nocache | | Disables the cache. |
session.sid_length | 22 to 256 | Yes | Sets the length of a session ID. A longer number protects the session from being overridden. |
session.sid_bits_per_character | 5 | Yes | Maximum character variation in session ID. '4' (0-9, a-f), '5' (0-9, a-v), '6' (0-9, a-z, A-Z, "-", ","). The value 6 is not supported. |
session.cookie_domain | | | If a single domain name is used, it can be specified in this parameter. |
For the production environment it is mandatory to configure operation over HTTPS
Leave support for TLS 1.2 and 1.3 only:
Recommended set of cryptographic algorithms (older operating systems and browsers such as IE6 or Windows XP are not supported):
The HTTP Strict Transport Security extension is designed to support This site works only via HTTPS setting in browsers. It is no longer possible to attack such a resource using a man-in-the-middle attack, because in case of certificate substitution the browser will immediately close the connection and will not allow you to continue using the forged certificate.
The max-age parameter specifies for how many seconds the HSTS header should be cached in the browser. It is recommended to set it at 31536000 (1 year) or higher.
With this extension the resource administrator can specify which certificate authority can be used to sign the certificates. To enable this extension, you need to get the fingerprint of the certificate authority that issued our certificate and encode it in base64. The easiest way to do it is as follows:
Here cert.pem is the first certificate in the chain that belongs to the certification centre. On the output you will get a base64 string. Turn on the extension and specify the fingerprint of your CA (don't forget to the base64 fingerprint).
The max-age parameter specifies for how many seconds the fingerprint should be cached in the browser cache. It is recommended to use a value that is not too big, since if you change the CA, users will not be able to access Passwork before the timeout expires.
Parameter name | Value | Comment |
|---|---|---|
[crypt] section | | |
secret | Do not change manually. | Server database encryption key. Generated automatically at the first Passwork launch |
disableClientSide | Switch to Off if necessary. | Toggles clientside encryption. Set to On by default. |
algorithm | Recommended to leave unchanged. | You can specify an encryption algorithm from the OpenSSL library. |
source | | Example config/config.ini … [crypt] source = key.ini … config/key.ini [crypt] secret = base64:…. |
[application] section | | |
csrf | On | Sends a CSRF token for every AJAX request. |
disableEncodeResponse | Do not specify. | By default the server encodes all client data in base64. The value On disables this mode (for debugging only). |
[mongo] section | | |
source | | Allows you to put the connection string in a separate file config/config.ini … [mongo] source = mongo.ini … config/mongo.ini [mongo] connectionString = mongodb://db:27017 dbname = production … |
Without section | | |
devmode | Do not specify. | Enables debugging mode |
Parameter name | Value | Comment |
|---|---|---|
Additional protection and cookie signatures | Enable | PHP session cookies are signed using entropy and data from the HTTP request header, including the user's IP. This increases protection against session hijacking and transfer of cookies between browsers. The session will automatically close when a user's IP gets changed. |
Mandatory two-factor authentication | Enable | All users will be required to configure 2FA before joining. |
CSRF token lifetime after last activity | 24 | Set in hours. |
API key rotation | Enable | All client applications will automatically lose the session and require logging in again. |
Self-recovery of authorisation password | Forbidden | Only Passwork administrator will be able to reset a user's authorisation password |
Automatic logout when inactive | | Passwork will automatically log users out if no requests come. |
Using API | | Allows you to disable the use of API. All client applications (mobile applications, browser extensions) use API. With the API disabled, the user will only be able to log in to the desktop version. |
Recommendations for additional customisation:
