Changes for page Allgemein

From 2.1 to 3.1

From version 3.1

edited by jdr
on 19.07.2021, 15:16

Change comment: There is no comment for this version

To version 4.14

edited by gru
on 16.01.2023, 14:13

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Author

@@ -1,1 +1,1 @@
--XWiki.jdr
++XWiki.gru

Content

@@ -6,34 +6,89 @@
  The menu //General// allows the configuration of general FORMCYCLE settings like cache configurations or upload limits.
--== Referrer policy ==
++== Security ==
--{{lightbox image="system_general_referrer_en.png" title="Referrer policy"}}
++=== HTTP Strict Transport Security (HSTS) ===
++
++{{figure image="system_general_hsts_en.png" width="600" clear="h3"}}
++You can enable HSTS to
++{{/figure}}
++
++HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that prevents the connection encryption from being disabled by downgrade attacks, and also guards against session hijacking. If you need to support HTTP, enter //0// as the value.
++
++=== Iframe integration ===
++
++{{figure image="system_general_iframe_en.png"  clear="h3" width="600"}}
++  You can optionally whitelist third-party pages that should be allowed to include backend pages via iframes.
++{{/figure}}
++
++By default, {{formcycle/}} blocks any attempts by third-party pages to include backend pages as iframes due to security concerns. In case it becomes necessary to include backend pages as an iframe, you can whitelist allowed third-party pages in this menu. The values you enter here are used for the //frame-ancestors// directive of the //Content-Security-Policy// HTTP header, see for example [[mdn web docs>>url:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors||target="_blank"]] for an in-depth descrption of the allowed values.
++
++=== Password policies ===
++
++{{figure image="PasswordPolicies.PNG" width="600" clear="h3"}}
++
++{{/figure}}
++
++The strength of all user passwords can be configured here. Passwords may not be shorter than a minimum length of 8 characters, but a higher minimum length can be configured. Different character sets (like letters in general, lowercase letters, uppercase letters, digits or special characters) can be forced to be contained in all passwords. After setting password policies, all new and all changed passwords must follow these. Existing passwords will not be changed, even if they do not conform the new password policies.
++
++=== Referrer policy ===
++
++{{figure image="system_general_referrer_en.png" width="600" clear="h3"}}
  Referrer policy
--{{/lightbox}}
++{{/figure}}
  This header entry can be used to control which referrer information is passed on when performing a redirect to an external page. The referrer informs the external page about which page a user came from. Please note that privacy and security issues may arise when passing on the URL to the external page.
--== HTTP Strict Transport Security (HSTS) ==
++=== Session cookie settings ===
--{{lightbox image="system_general_hsts_en.png" title="HTTP Strict Transport Security (HSTS)"}}
--HTTP Strict Transport Security (HSTS)
--{{/lightbox}}
++{{figure image="system_general_session_cookie_en.png" clear="h3" width="600"}}
++  If possible, we recommend you make the settings for the session cookie as strict as possible and require HTTPS.
++{{/figure}}
--HTTP Strict Transport Security (HSTS) ist ein Sicherheitsmechanismus für HTTPS-Verbindungen, der sowohl vor Aushebelung der Verbindungsverschlüsselung durch eine Downgrade-Attacke als auch vor Session Hijacking schützen soll. Für einen Betrieb unter HTTP wählen Sie für die Dauer 0.
++The session cookie identifies a user session and keeps track of the user while they are logged in. Here you can change whether the session cookie should be limited to HTTPS connections (Secure) and whether it should be transmitted to third-party sites (SameSite). We recommend you activate the Secure flag when you solely use HTTPS. Allowing the session cookie on third-party pages is necessary for some use cases such as embedding forms via AJAX into external pages.
--== Password policies ==
++=== Content-Security-Policy ===
--[[image:PasswordPolicies.PNG||alt="Passwort-Richtlinien.PNG"]]
++{{figure image="system_general_csp_en.png"  clear="h3" width="600"}}
++You can add additional policies to the Content-Security-Policy header.
++{{/figure}}
--The strength of all user passwords can be configured here. Passwords may not be shorter than a minimum length of 8 characters, but a higher minimum length can be configured. Different character sets (like letters in general, lowercase letters, uppercase letters, digits or special characters) can be forced to be contained in all passwords. After setting password policies, all new and all changed passwords must follow these. Existing passwords will not be changed, even if they do not conform the new password policies.
++{{version major="7" minor="2" patch="1"/}} Lets you add additional policies to the Content-Security-Policy header. Different values can be stored for backend (administration interface, designer, inbox) and for frontend (web forms).
--== Cache ==
++Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. A primary goal of CSP is to mitigate and report XSS attacks. CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts.
--{{lightbox image="system_general_cache_en.png" title="Form and file cache"}}
--Form and file cache
--{{/lightbox}}
++For a list of available policies, see e.g. this [[Mozilla page>>url:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy||_target="blank"]].
++== Protocol ==
++
++=== Automatic deletion of protocol entries ===
++
++{{figure image="system_delete_protocoll_en.png" width="600" clear="h3"}}
++You can delete old protocol entries automatically, which may also help prevent the database from growing too large.
++{{/figure}}
++
++Protocol entries  (from processes, clients, system) that are outdated can be deleted automatically. At a specified time of the day all protocol entries are deleted that are older than the specified number of days. By using the "clear now" button all protocol entries can also be deleted instantly. After the automatic deletion of protocol entries, a new protocol entry is created containing information about the amount of automatically deleted protocol entries.
++
++=== Generated protocol entries ===
++
++{{figure image="system_general_generated_protocol_entries_en.png" clear="h3" width="600"}}
++  These settings let you enable or disable certain types of protocol entries.
++{{/figure}}
++
++; Add protocol entry when an automatic form submission by a bot was detected
++: {{formcycle/}} tries to detect attempts by machines (bots) to submit forms automatically. When a bot was detected, the submission is blocked. If this option is enabled, a processing [[protocol entry>>doc:Formcycle.UserInterface.Protocol]] is created.
++; Add protocol entry when attempting to submit a form with an invalid submit button
++: You can add [[buttons>>doc:Formcycle.Designer.Form.FormElements.Button]] to a form that allows users to submit the form. Within the workflow, you can [[check whether a certain buttons was pressed>>doc:Formcycle.Designer.Workflow.Events.SubmitButton]] and run certain actions depending on which button was pressed. Starting with version 7, it is possible to validate whether the submit button actually existed in the form, which helps prevent form records from being manipulated. If this option is enabled, a processing [[protocol entry is created>>doc:Formcycle.UserInterface.Protocol]] when a form was submitted with an invalid submit button.
++
++== Limits ==
++
++=== Form and file cache ===
++
++{{figure image="system_general_cache_en.png" width="600" clear="h3"}}
++You can change the form and file cache size, which may be necessary when you have got many forms , or you can deactivate the cache for testing purposes.
++{{/figure}}
++
  The file cache stores files used by the system, the form cache stores rendered HTML forms.
  {{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding the form cache"}}
@@ -50,11 +50,11 @@
  |Time to idle|0|Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to {{code language="none"}}0{{/code}} to disable.
  {{/table}}
--== System limits ==
++=== System limits ===
--{{lightbox image="system_general_limits_en.png" title="System limits"}}
++{{figure image="system_general_limits_en.png" width="600" clear="h3"}}
  System limits
--{{/lightbox}}
++{{/figure}}
  {{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding various limits"}}
  |= Property|= Default value|= Explanation
@@ -65,16 +65,22 @@
  |database field size limit|0|Maximum size in bytes when retrieving columns of type //character// (eg. char or varchar) or //binary//. Set to {{code language="none"}}0{{/code}} to disable.
  {{/table}}
--== Loopback URL ==
++== Configuration ==
--{{lightbox image="system_general_loopback_en.png" title="Loopback URL"}}
++=== Loopback URL ===
++
++{{figure image="system_general_loopback_en.png" width="600" clear="h3"}}
  Loopback URL
--{{/lightbox}}
++{{/figure}}
  Some features (such as form preview images or PDF print) require the server to open a form. In cluster configurations or environments in which the internal and external domains are different, this parameter is used to configure the internal availability (e.g. http://localhost:8080/formcycle).
--== Automatic deletion of protocol entries ==
++=== License ===
--[[image:Screenshot_delete_protocoll.PNG||alt="Screenshot_ProtokollLöschen.PNG"]]
++{{figure image="system_general_license_en.png" clear="h3" width="600"}}
++  Here you can change certain settings related to the license.
++{{/figure}}
--Protocol entries  (from processes, clients, system) that are outdated can be deleted automatically. At a specified time of the day all protocol entries are deleted that are older than the specified number of days. By using the "clear now" button all protocol entries can also be deleted instantly. After the automatic deletion of protocol entries, a new protocol entry is created containing information about the amount of automatically deleted protocol entries.
++; Allow automatic license update through external notifications
++: When this option is enabled, one can trigger a license update via an HTTP request to {{code language="text"}}http://example.com/formcycle/license/notify?key=LICENSE_KEY{{/code}}, where {{code language="text"}}http://example.com/formcycle{{/code}} should be replaced with the actual URL of the {{formcycle/}} server and //LICENSE_KEY// should be replaced with the license key of the license to update.
++