Administration
Security

Security settings

11min

General information

On this page we listed the parameters and recommendations that may affect the security of various Passwork infrastructure components (web server, PHP, database, etc.). Setting maximum values is not always recommended, as it may make Passwork less convenient for end users, as well as cause compatibility issues with older operating systems and components.

Change the values as recommended by Passwork technical support

PHP settings (php.ini)

Parameter name

Value

Important

Comment

expose_php

Off

Yes

Hides PHP version in web server response headers.

display_errors

Off

Yes

Disables the output of PHP error information. Should always be Off, as all errors are written to log files.

post_max_size

10MB



Limits the maximum size of data received from the client, which protects against DOS attacks.

max_execution_time

120 to 600



Maximum script execution time (in seconds).

max_input_time

120



Maximum time to read data from the client (in seconds).

memory_limit

256MB to 2GB



Maximum amount of RAM that the script can use.

max_input_vars

1000



Number of parameters in POST request. You can increase it if you have problems with importing large CSV or JSON files.

session.cookie_lifetime

0



When set to 0, the browser does not store cookies and clears them on restart.

session.use_only_cookies

On

Yes

The session IDs will only be sent through cookies.

session.use_strict_mode

On

Yes

PHP will not accept cookies with a session number that is set by the user and not issued by PHP. Protects against session fixation attacks.

session.cookie_httponly

On

Yes

Denies access to cookies from JavaScript.

session.cookie_secure

On

Yes

Cookies will only be accessible via HTTPS.

session.use_trans_sid

Off

Yes

Prohibits the session ID from being sent via GET parameters.

session.cache_limiter

nocache



Disables the cache.

session.sid_length

22 to 256

Yes

Sets the length of a session ID. A longer number protects the session from being overridden.

session.sid_bits_per_character

5

Yes

Maximum character variation in session ID. '4' (0-9, a-f), '5' (0-9, a-v), '6' (0-9, a-z, A-Z, "-", ","). The value 6 is not supported.

session.cookie_domain





If a single domain name is used, it can be specified in this parameter.

Web server

Configuring SSL

For the production environment it is mandatory to configure operation over HTTPS

Leave support for TLS 1.2 and 1.3 only:

Bash


Recommended set of cryptographic algorithms (older operating systems and browsers such as IE6 or Windows XP are not supported):

Bash


HTTP Strict Transport Security

The HTTP Strict Transport Security extension is designed to support This site works only via HTTPS setting in browsers. It is no longer possible to attack such a resource using a man-in-the-middle attack, because in case of certificate substitution the browser will immediately close the connection and will not allow you to continue using the forged certificate.

The max-age parameter specifies for how many seconds the HSTS header should be cached in the browser. It is recommended to set it at 31536000 (1 year) or higher.

Bash


HTTP Public Key Pinning Extension

With this extension the resource administrator can specify which certificate authority can be used to sign the certificates. To enable this extension, you need to get the fingerprint of the certificate authority that issued our certificate and encode it in base64. The easiest way to do it is as follows:

Bash


Here cert.pem is the first certificate in the chain that belongs to the certification centre. On the output you will get a base64 string. Turn on the extension and specify the fingerprint of your CA (don't forget to the base64 fingerprint).

The max-age parameter specifies for how many seconds the fingerprint should be cached in the browser cache. It is recommended to use a value that is not too big, since if you change the CA, users will not be able to access Passwork before the timeout expires.

Setting up Passwork

Bash


Configuring security settings in config.ini

Parameter name

Value

Comment

[crypt] section





secret

Do not change manually.

Server database encryption key. Generated automatically at the first Passwork launch

disableClientSide

Switch to Off if necessary.

Toggles clientside encryption. Set to On by default.

algorithm

Recommended to leave unchanged.

You can specify an encryption algorithm from the OpenSSL library.

source



Example config/config.ini … [crypt] source = key.ini … config/key.ini [crypt] secret = base64:….

[application] section





csrf

On

Sends a CSRF token for every AJAX request.

disableEncodeResponse

Do not specify.

By default the server encodes all client data in base64. The value On disables this mode (for debugging only).

[mongo] section





source



Allows you to put the connection string in a separate file config/config.ini … [mongo] source = mongo.ini … config/mongo.ini [mongo] connectionString = mongodb://db:27017 dbname = production …

Without section





devmode

Do not specify.

Enables debugging mode

Passwork system parameters

Parameter name

Value

Comment

Additional protection and cookie signatures

Enable

PHP session cookies are signed using entropy and data from the HTTP request header, including the user's IP. This increases protection against session hijacking and transfer of cookies between browsers. The session will automatically close when a user's IP gets changed.

Mandatory two-factor authentication

Enable

All users will be required to configure 2FA before joining.

CSRF token lifetime after last activity

24

Set in hours.

API key rotation

Enable

All client applications will automatically lose the session and require logging in again.

Self-recovery of authorisation password

Forbidden

Only Passwork administrator will be able to reset a user's authorisation password

Automatic logout when inactive



Passwork will automatically log users out if no requests come.

Using API



Allows you to disable the use of API. All client applications (mobile applications, browser extensions) use API. With the API disabled, the user will only be able to log in to the desktop version.

Configuring the MongoDB database

Recommendations for additional customisation: