Wiki source code of Allgemein

Hide last authors
gru 29.5 1 {{figure image="system_general_en.png" clear="h1"}}
2 Configuration of general FORMCYCLE settings.
gru 1.1 3 {{/figure}}
4
5 {{content/}}
6
gru 29.5 7 The menu //General// allows the configuration of general FORMCYCLE settings like cache configurations or upload limits.
gru 1.1 8
gru 29.5 9 == Security ==
gru 1.1 10
awa 19.2 11 === HTTP Strict Transport Security (HSTS) ===
gru 1.1 12
gru 29.5 13 {{figure image="system_general_hsts_en.png" width="600" clear="h3"}}
14 You can enable HSTS to
awa 27.4 15 {{/figure}}
gru 1.1 16
gru 29.5 17 HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that prevents the connection encryption from being disabled by downgrade attacks, and also guards against session hijacking. If you need to support HTTP, enter //0// as the value.
gru 1.1 18
gru 29.5 19 === Iframe integration ===
gru 1.1 20
gru 29.5 21 {{figure image="system_general_iframe_en.png" clear="h3" width="600"}}
22 You can optionally whitelist third-party pages that should be allowed to include backend pages via iframes.
awa 27.4 23 {{/figure}}
awa 27.2 24
gru 29.5 25 By default, {{formcycle/}} blocks any attempts by third-party pages to include backend pages as iframes due to security concerns. In case it becomes necessary to include backend pages as an iframe, you can whitelist allowed third-party pages in this menu. The values you enter here are used for the //frame-ancestors// directive of the //Content-Security-Policy// HTTP header, see for example [[mdn web docs>>url:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors||target="_blank"]] for an in-depth descrption of the allowed values.
awa 27.2 26
gru 29.5 27 === Password policies ===
awa 19.2 28
gru 29.5 29 {{figure image="PasswordPolicies.PNG" width="600" clear="h3"}}
30
awa 27.5 31 {{/figure}}
32
gru 29.5 33 The strength of all user passwords can be configured here. Passwords may not be shorter than a minimum length of 8 characters, but a higher minimum length can be configured. Different character sets (like letters in general, lowercase letters, uppercase letters, digits or special characters) can be forced to be contained in all passwords. After setting password policies, all new and all changed passwords must follow these. Existing passwords will not be changed, even if they do not conform the new password policies.
gru 1.1 34
gru 29.5 35 === Referrer policy ===
gru 1.1 36
gru 29.5 37 {{figure image="system_general_referrer_en.png" width="600" clear="h3"}}
38 Referrer policy
awa 27.4 39 {{/figure}}
awa 19.2 40
gru 29.5 41 This header entry can be used to control which referrer information is passed on when performing a redirect to an external page. The referrer informs the external page about which page a user came from. Please note that privacy and security issues may arise when passing on the URL to the external page.
awa 19.2 42
gru 29.5 43 === Session cookie settings ===
awa 19.2 44
gru 29.5 45 {{figure image="system_general_session_cookie_en.png" clear="h3" width="600"}}
46 If possible, we recommend you make the settings for the session cookie as strict as possible and require HTTPS.
awa 27.10 47 {{/figure}}
awa 19.2 48
gru 29.5 49 The session cookie identifies a user session and keeps track of the user while they are logged in. Here you can change whether the session cookie should be limited to HTTPS connections (Secure) and whether it should be transmitted to third-party sites (SameSite). We recommend you activate the Secure flag when you solely use HTTPS. Allowing the session cookie on third-party pages is necessary for some use cases such as embedding forms via AJAX into external pages.
awa 27.10 50
awa 27.24 51 === Content-Security-Policy ===
52
gru 29.5 53 {{figure image="system_general_csp_en.png" clear="h3" width="600"}}
54 You can add additional policies to the Content-Security-Policy header.
awa 29.2 55 {{/figure}}
56
gru 29.5 57 {{version major="7" minor="2" patch="1"/}} Lets you add additional policies to the Content-Security-Policy header. Different values can be stored for backend (administration interface, designer, inbox) and for frontend (web forms).
awa 29.3 58
gru 29.5 59 Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. A primary goal of CSP is to mitigate and report XSS attacks. CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts.
awa 27.24 60
gru 29.5 61 For a list of available policies, see e.g. this [[Mozilla page>>url:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy||_target="blank"]].
awa 27.24 62
gru 29.5 63 == Protocol ==
awa 19.2 64
gru 29.5 65 === Automatic deletion of protocol entries ===
awa 19.2 66
gru 29.5 67 {{figure image="system_delete_protocoll_en.png" width="600" clear="h3"}}
68 You can delete old protocol entries automatically, which may also help prevent the database from growing too large.
awa 27.4 69 {{/figure}}
awa 19.2 70
gru 29.5 71 Protocol entries (from processes, clients, system) that are outdated can be deleted automatically. At a specified time of the day all protocol entries are deleted that are older than the specified number of days. By using the "clear now" button all protocol entries can also be deleted instantly. After the automatic deletion of protocol entries, a new protocol entry is created containing information about the amount of automatically deleted protocol entries.
awa 19.2 72
gru 29.5 73 === Generated protocol entries ===
awa 19.2 74
gru 29.5 75 {{figure image="system_general_generated_protocol_entries_en.png" clear="h3" width="600"}}
76 These settings let you enable or disable certain types of protocol entries.
awa 27.14 77 {{/figure}}
awa 19.2 78
gru 29.5 79 ; Add protocol entry when an automatic form submission by a bot was detected
80 : {{formcycle/}} tries to detect attempts by machines (bots) to submit forms automatically. When a bot was detected, the submission is blocked. If this option is enabled, a processing [[protocol entry>>doc:Formcycle.UserInterface.Protocol]] is created.
81 ; Add protocol entry when attempting to submit a form with an invalid submit button
82 : You can add [[buttons>>doc:Formcycle.Designer.Form.FormElements.Button]] to a form that allows users to submit the form. Within the workflow, you can [[check whether a certain buttons was pressed>>doc:Formcycle.Designer.Workflow.Events.SubmitButton]] and run certain actions depending on which button was pressed. Starting with version 7, it is possible to validate whether the submit button actually existed in the form, which helps prevent form records from being manipulated. If this option is enabled, a processing [[protocol entry is created>>doc:Formcycle.UserInterface.Protocol]] when a form was submitted with an invalid submit button.
awa 27.14 83
awa 19.2 84 == Limits ==
85
gru 29.5 86 === Form and file cache ===
awa 19.2 87
gru 29.5 88 {{figure image="system_general_cache_en.png" width="600" clear="h3"}}
89 You can change the form and file cache size, which may be necessary when you have got many forms , or you can deactivate the cache for testing purposes.
awa 27.4 90 {{/figure}}
gru 1.1 91
gru 29.5 92 The file cache stores files used by the system, the form cache stores rendered HTML forms.
gru 1.1 93
gru 29.5 94 {{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding the form cache"}}
95 |= Property|= Default value|= Explanation
96 |Max disk size|-1|Maximum size in MB of what the form cache stores in the file system. No limit when set to {{code language="none"}}-1{{/code}}. If set to {{code language="none"}}0{{/code}}, the file system is not used by the cache.
97 |Max Heap size|75|Maximum size in MB of what the form cache stores in-memory. If set to {{code language="none"}}0{{/code}}, the in-memory form cache is disabled.
98 |Time to idle|0|Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to {{code language="none"}}0{{/code}} to disable.
gru 1.1 99 {{/table}}
100
gru 29.5 101 {{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding the file cache"}}
102 |= Property|= Default value|= Explanation
103 |Max disk size|-1|Maximum size in MB of what the file cache stores in the file system. No limit when set to {{code language="none"}}-1{{/code}}. If set to {{code language="none"}}0{{/code}}, the file system is not used by the cache.
104 |Max heap size|75|Maximum size in MB of what the file cache stores in-memory. If set to {{code language="none"}}0{{/code}}, the in-memory file cache is disabled.
105 |Time to idle|0|Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to {{code language="none"}}0{{/code}} to disable.
gru 1.1 106 {{/table}}
107
gru 29.5 108 === System limits ===
gru 1.1 109
gru 29.5 110 {{figure image="system_general_limits_en.png" width="600" clear="h3"}}
111 System limits
awa 27.4 112 {{/figure}}
gru 1.1 113
gru 29.5 114 {{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding various limits"}}
115 |= Property|= Default value|= Explanation
116 |Disk usage threshold|0|This is the size threshold in bytes beyond which files are written directly to disk.
117 |Limit per file||Maximum size in bytes for file uploads within forms. Applies to each file individually. Set to {{code language="none"}}-1{{/code}} or no value to disable. This settings applies to both form uploads as well as backend uploads.
118 |Total upload limit||The total allowed size of simultaneously uploaded files. This setting does not apply when multiple files are uploaded individually. When the user submits a form, this is the maximum allowed post size. Set to {{code language="none"}}-1{{/code}} or no value to disable.
119 |Maximum database query row count|5000|Maximum number of returned rows for a query to the database. Set to {{code language="none"}}0{{/code}} to disable.
120 |database field size limit|0|Maximum size in bytes when retrieving columns of type //character// (eg. char or varchar) or //binary//. Set to {{code language="none"}}0{{/code}} to disable.
gru 1.1 121 {{/table}}
122
gru 29.5 123 == Configuration ==
gru 1.1 124
awa 19.2 125 === Loopback URL ===
126
gru 29.5 127 {{figure image="system_general_loopback_en.png" width="600" clear="h3"}}
128 Loopback URL
awa 27.4 129 {{/figure}}
gru 1.1 130
gru 29.5 131 Some features (such as form preview images or PDF print) require the server to open a form. In cluster configurations or environments in which the internal and external domains are different, this parameter is used to configure the internal availability (e.g. http://localhost:8080/formcycle).
gru 1.1 132
gru 29.5 133 === License ===
gru 1.1 134
gru 29.5 135 {{figure image="system_general_license_en.png" clear="h3" width="600"}}
136 Here you can change certain settings related to the license.
awa 27.19 137 {{/figure}}
138
gru 29.5 139 ; Allow automatic license update through external notifications
140 : When this option is enabled, one can trigger a license update via an HTTP request to {{code language="text"}}http://example.com/formcycle/license/notify?key=LICENSE_KEY{{/code}}, where {{code language="text"}}http://example.com/formcycle{{/code}} should be replaced with the actual URL of the {{formcycle/}} server and //LICENSE_KEY// should be replaced with the license key of the license to update.
141