General - FORMCYCLE Wiki

HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that prevents the connection encryption from being disabled by downgrade attacks, and also guards against session hijacking. If you need to support HTTP, enter //0// as the value.

18

19

=== Iframe integration ===

20

21

{{figure image="system_general_iframe_en.png" clear="h3" width="600"}}

22

You can optionally whitelist third-party pages that should be allowed to include backend pages via iframes.

23

24

25

By default, {{formcycle/}} blocks any attempts by third-party pages to include backend pages as iframes due to security concerns. In case it becomes necessary to include backend pages as an iframe, you can whitelist allowed third-party pages in this menu. The values you enter here are used for the //frame-ancestors// directive of the //Content-Security-Policy// HTTP header, see for example [[mdn web docs>>url:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors||target="_blank"]] for an in-depth descrption of the allowed values.

26

27

=== Password policies ===

The strength of all user passwords can be configured here. Passwords may not be shorter than a minimum length of 8 characters, but a higher minimum length can be configured. Different character sets (like letters in general, lowercase letters, uppercase letters, digits or special characters) can be forced to be contained in all passwords. After setting password policies, all new and all changed passwords must follow these. Existing passwords will not be changed, even if they do not conform the new password policies.

34

35

=== Referrer policy ===

36

37

{{figure image="system_general_referrer_en.png" width="600" clear="h3"}}

Referrer policy

This header entry can be used to control which referrer information is passed on when performing a redirect to an external page. The referrer informs the external page about which page a user came from. Please note that privacy and security issues may arise when passing on the URL to the external page.

42

43

=== Session cookie settings ===

44

45

{{figure image="system_general_session_cookie_en.png" clear="h3" width="600"}}

46

If possible, we recommend you make the settings for the session cookie as strict as possible and require HTTPS.

47

48

49

The session cookie identifies a user session and keeps track of the user while they are logged in. Here you can change whether the session cookie should be limited to HTTPS connections (Secure) and whether it should be transmitted to third-party sites (SameSite). We recommend you activate the Secure flag when you solely use HTTPS. Allowing the session cookie on third-party pages is necessary for some use cases such as embedding forms via AJAX into external pages.

50

51

=== Content-Security-Policy ===

52

53

{{figure image="system_general_csp_en.png" clear="h3" width="600"}}

54

You can add additional policies to the Content-Security-Policy header.

55

56

57

{{version major="7" minor="2" patch="1"/}} Lets you add additional policies to the Content-Security-Policy header. Different values can be stored for backend (administration interface, designer, inbox) and for frontend (web forms).

58

59

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. A primary goal of CSP is to mitigate and report XSS attacks. CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts.

60

61

For a list of available policies, see e.g. this [[Mozilla page>>url:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy||_target="blank"]].

== Protocol ==

=== Automatic deletion of protocol entries ===

66

67

{{figure image="system_delete_protocoll_en.png" width="600" clear="h3"}}

68

You can delete old protocol entries automatically, which may also help prevent the database from growing too large.

69

70

71

Protocol entries (from processes, clients, system) that are outdated can be deleted automatically. At a specified time of the day all protocol entries are deleted that are older than the specified number of days. By using the "clear now" button all protocol entries can also be deleted instantly. After the automatic deletion of protocol entries, a new protocol entry is created containing information about the amount of automatically deleted protocol entries.

72

73

=== Generated protocol entries ===

74

75

{{figure image="system_general_generated_protocol_entries_en.png" clear="h3" width="600"}}

76

These settings let you enable or disable certain types of protocol entries.

77

78

79

; Add protocol entry when an automatic form submission by a bot was detected

80

: {{formcycle/}} tries to detect attempts by machines (bots) to submit forms automatically. When a bot was detected, the submission is blocked. If this option is enabled, a processing [[protocol entry>>doc:Formcycle.UserInterface.Protocol]] is created.

81

; Add protocol entry when attempting to submit a form with an invalid submit button

82

: You can add [[buttons>>doc:Formcycle.Designer.Form.FormElements.Button]] to a form that allows users to submit the form. Within the workflow, you can [[check whether a certain buttons was pressed>>doc:Formcycle.Designer.Workflow.Events.SubmitButton]] and run certain actions depending on which button was pressed. Starting with version 7, it is possible to validate whether the submit button actually existed in the form, which helps prevent form records from being manipulated. If this option is enabled, a processing [[protocol entry is created>>doc:Formcycle.UserInterface.Protocol]] when a form was submitted with an invalid submit button.

== Limits ==

=== Form and file cache ===

87

88

{{figure image="system_general_cache_en.png" width="600" clear="h3"}}

89

You can change the form and file cache size, which may be necessary when you have got many forms , or you can deactivate the cache for testing purposes.

90

91

92

The file cache stores files used by the system, the form cache stores rendered HTML forms.

93

94

{{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding the form cache"}}

95

|= Property|= Default value|= Explanation

96

|Max disk size|-1|Maximum size in MB of what the form cache stores in the file system. No limit when set to {{code language="none"}}-1{{/code}}. If set to {{code language="none"}}0{{/code}}, the file system is not used by the cache.

97

|Max Heap size|75|Maximum size in MB of what the form cache stores in-memory. If set to {{code language="none"}}0{{/code}}, the in-memory form cache is disabled.

98

|Time to idle|0|Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to {{code language="none"}}0{{/code}} to disable.

99

100

101

{{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding the file cache"}}

102

|= Property|= Default value|= Explanation

103

|Max disk size|-1|Maximum size in MB of what the file cache stores in the file system. No limit when set to {{code language="none"}}-1{{/code}}. If set to {{code language="none"}}0{{/code}}, the file system is not used by the cache.

104

|Max heap size|75|Maximum size in MB of what the file cache stores in-memory. If set to {{code language="none"}}0{{/code}}, the in-memory file cache is disabled.

105

|Time to idle|0|Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to {{code language="none"}}0{{/code}} to disable.

106

107

108

=== System limits ===

109

110

{{figure image="system_general_limits_en.png" width="600" clear="h3"}}

System limits

{{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding various limits"}}

115

|= Property|= Default value|= Explanation

116

|Disk usage threshold|0|This is the size threshold in bytes beyond which files are written directly to disk.

117

|Limit per file||Maximum size in bytes for file uploads within forms. Applies to each file individually. Set to {{code language="none"}}-1{{/code}} or no value to disable. This settings applies to both form uploads as well as backend uploads.

118

|Total upload limit||The total allowed size of simultaneously uploaded files. This setting does not apply when multiple files are uploaded individually. When the user submits a form, this is the maximum allowed post size. Set to {{code language="none"}}-1{{/code}} or no value to disable.

119

|Maximum database query row count|5000|Maximum number of returned rows for a query to the database. Set to {{code language="none"}}0{{/code}} to disable.

120

|database field size limit|0|Maximum size in bytes when retrieving columns of type //character// (eg. char or varchar) or //binary//. Set to {{code language="none"}}0{{/code}} to disable.

== Configuration ==

=== Loopback URL ===

{{figure image="system_general_loopback_en.png" width="600" clear="h3"}}

Loopback URL

Some features (such as form preview images or PDF print) require the server to open a form. In cluster configurations or environments in which the internal and external domains are different, this parameter is used to configure the internal availability (e.g. http://localhost:8080/formcycle).

=== License ===

{{figure image="system_general_license_en.png" clear="h3" width="600"}}

136

Here you can change certain settings related to the license.

137

138

139

; Allow automatic license update through external notifications

140

: When this option is enabled, one can trigger a license update via an HTTP request to {{code language="text"}}http://example.com/formcycle/license/notify?key=LICENSE_KEY{{/code}}, where {{code language="text"}}http://example.com/formcycle{{/code}} should be replaced with the actual URL of the {{formcycle/}} server and //LICENSE_KEY// should be replaced with the license key of the license to update.

Wiki source code of Allgemein

Navigation

author	version	line-number	content
		1	{{figure image="system_general_en.png" clear="h1"}}
		2	Configuration of general FORMCYCLE settings.
		3	{{/figure}}
		4
		5	{{content/}}
		6
		7	The menu //General// allows the configuration of general FORMCYCLE settings like cache configurations or upload limits.
		8
		9	== Security ==
		10
		11	=== HTTP Strict Transport Security (HSTS) ===
		12
		13	{{figure image="system_general_hsts_en.png" width="600" clear="h3"}}
		14	You can enable HSTS to
		15	{{/figure}}
		16
		17	HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that prevents the connection encryption from being disabled by downgrade attacks, and also guards against session hijacking. If you need to support HTTP, enter //0// as the value.
		18
		19	=== Iframe integration ===
		20
		21	{{figure image="system_general_iframe_en.png" clear="h3" width="600"}}
		22	You can optionally whitelist third-party pages that should be allowed to include backend pages via iframes.
		23	{{/figure}}
		24
		25	By default, {{formcycle/}} blocks any attempts by third-party pages to include backend pages as iframes due to security concerns. In case it becomes necessary to include backend pages as an iframe, you can whitelist allowed third-party pages in this menu. The values you enter here are used for the //frame-ancestors// directive of the //Content-Security-Policy// HTTP header, see for example [[mdn web docs>>url:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\|\|target="_blank"]] for an in-depth descrption of the allowed values.
		26
		27	=== Password policies ===
		28
		29	{{figure image="PasswordPolicies.PNG" width="600" clear="h3"}}
		30
		31	{{/figure}}
		32
		33	The strength of all user passwords can be configured here. Passwords may not be shorter than a minimum length of 8 characters, but a higher minimum length can be configured. Different character sets (like letters in general, lowercase letters, uppercase letters, digits or special characters) can be forced to be contained in all passwords. After setting password policies, all new and all changed passwords must follow these. Existing passwords will not be changed, even if they do not conform the new password policies.
		34
		35	=== Referrer policy ===
		36
		37	{{figure image="system_general_referrer_en.png" width="600" clear="h3"}}
		38	Referrer policy
		39	{{/figure}}
		40
		41	This header entry can be used to control which referrer information is passed on when performing a redirect to an external page. The referrer informs the external page about which page a user came from. Please note that privacy and security issues may arise when passing on the URL to the external page.
		42
		43	=== Session cookie settings ===
		44
		45	{{figure image="system_general_session_cookie_en.png" clear="h3" width="600"}}
		46	If possible, we recommend you make the settings for the session cookie as strict as possible and require HTTPS.
		47	{{/figure}}
		48
		49	The session cookie identifies a user session and keeps track of the user while they are logged in. Here you can change whether the session cookie should be limited to HTTPS connections (Secure) and whether it should be transmitted to third-party sites (SameSite). We recommend you activate the Secure flag when you solely use HTTPS. Allowing the session cookie on third-party pages is necessary for some use cases such as embedding forms via AJAX into external pages.
		50
		51	=== Content-Security-Policy ===
		52
		53	{{figure image="system_general_csp_en.png" clear="h3" width="600"}}
		54	You can add additional policies to the Content-Security-Policy header.
		55	{{/figure}}
		56
		57	{{version major="7" minor="2" patch="1"/}} Lets you add additional policies to the Content-Security-Policy header. Different values can be stored for backend (administration interface, designer, inbox) and for frontend (web forms).
		58
		59	Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. A primary goal of CSP is to mitigate and report XSS attacks. CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts.
		60
		61	For a list of available policies, see e.g. this [[Mozilla page>>url:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\|\|_target="blank"]].
		62
		63	== Protocol ==
		64
		65	=== Automatic deletion of protocol entries ===
		66
		67	{{figure image="system_delete_protocoll_en.png" width="600" clear="h3"}}
		68	You can delete old protocol entries automatically, which may also help prevent the database from growing too large.
		69	{{/figure}}
		70
		71	Protocol entries (from processes, clients, system) that are outdated can be deleted automatically. At a specified time of the day all protocol entries are deleted that are older than the specified number of days. By using the "clear now" button all protocol entries can also be deleted instantly. After the automatic deletion of protocol entries, a new protocol entry is created containing information about the amount of automatically deleted protocol entries.
		72
		73	=== Generated protocol entries ===
		74
		75	{{figure image="system_general_generated_protocol_entries_en.png" clear="h3" width="600"}}
		76	These settings let you enable or disable certain types of protocol entries.
		77	{{/figure}}
		78
		79	; Add protocol entry when an automatic form submission by a bot was detected
		80	: {{formcycle/}} tries to detect attempts by machines (bots) to submit forms automatically. When a bot was detected, the submission is blocked. If this option is enabled, a processing [[protocol entry>>doc:Formcycle.UserInterface.Protocol]] is created.
		81	; Add protocol entry when attempting to submit a form with an invalid submit button
		82	: You can add [[buttons>>doc:Formcycle.Designer.Form.FormElements.Button]] to a form that allows users to submit the form. Within the workflow, you can [[check whether a certain buttons was pressed>>doc:Formcycle.Designer.Workflow.Events.SubmitButton]] and run certain actions depending on which button was pressed. Starting with version 7, it is possible to validate whether the submit button actually existed in the form, which helps prevent form records from being manipulated. If this option is enabled, a processing [[protocol entry is created>>doc:Formcycle.UserInterface.Protocol]] when a form was submitted with an invalid submit button.
		83
		84	== Limits ==
		85
		86	=== Form and file cache ===
		87
		88	{{figure image="system_general_cache_en.png" width="600" clear="h3"}}
		89	You can change the form and file cache size, which may be necessary when you have got many forms , or you can deactivate the cache for testing purposes.
		90	{{/figure}}
		91
		92	The file cache stores files used by the system, the form cache stores rendered HTML forms.
		93
		94	{{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding the form cache"}}
		95	\|= Property\|= Default value\|= Explanation
		96	\|Max disk size\|-1\|Maximum size in MB of what the form cache stores in the file system. No limit when set to {{code language="none"}}-1{{/code}}. If set to {{code language="none"}}0{{/code}}, the file system is not used by the cache.
		97	\|Max Heap size\|75\|Maximum size in MB of what the form cache stores in-memory. If set to {{code language="none"}}0{{/code}}, the in-memory form cache is disabled.
		98	\|Time to idle\|0\|Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to {{code language="none"}}0{{/code}} to disable.
		99	{{/table}}
		100
		101	{{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding the file cache"}}
		102	\|= Property\|= Default value\|= Explanation
		103	\|Max disk size\|-1\|Maximum size in MB of what the file cache stores in the file system. No limit when set to {{code language="none"}}-1{{/code}}. If set to {{code language="none"}}0{{/code}}, the file system is not used by the cache.
		104	\|Max heap size\|75\|Maximum size in MB of what the file cache stores in-memory. If set to {{code language="none"}}0{{/code}}, the in-memory file cache is disabled.
		105	\|Time to idle\|0\|Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to {{code language="none"}}0{{/code}} to disable.
		106	{{/table}}
		107
		108	=== System limits ===
		109
		110	{{figure image="system_general_limits_en.png" width="600" clear="h3"}}
		111	System limits
		112	{{/figure}}
		113
		114	{{table dataTypeAlpha="0" preSort="0-asc" caption="Settings regarding various limits"}}
		115	\|= Property\|= Default value\|= Explanation
		116	\|Disk usage threshold\|0\|This is the size threshold in bytes beyond which files are written directly to disk.
		117	\|Limit per file\|\|Maximum size in bytes for file uploads within forms. Applies to each file individually. Set to {{code language="none"}}-1{{/code}} or no value to disable. This settings applies to both form uploads as well as backend uploads.
		118	\|Total upload limit\|\|The total allowed size of simultaneously uploaded files. This setting does not apply when multiple files are uploaded individually. When the user submits a form, this is the maximum allowed post size. Set to {{code language="none"}}-1{{/code}} or no value to disable.
		119	\|Maximum database query row count\|5000\|Maximum number of returned rows for a query to the database. Set to {{code language="none"}}0{{/code}} to disable.
		120	\|database field size limit\|0\|Maximum size in bytes when retrieving columns of type //character// (eg. char or varchar) or //binary//. Set to {{code language="none"}}0{{/code}} to disable.
		121	{{/table}}
		122
		123	== Configuration ==
		124
		125	=== Loopback URL ===
		126
		127	{{figure image="system_general_loopback_en.png" width="600" clear="h3"}}
		128	Loopback URL
		129	{{/figure}}
		130
		131	Some features (such as form preview images or PDF print) require the server to open a form. In cluster configurations or environments in which the internal and external domains are different, this parameter is used to configure the internal availability (e.g. http://localhost:8080/formcycle).
		132
		133	=== License ===
		134
		135	{{figure image="system_general_license_en.png" clear="h3" width="600"}}
		136	Here you can change certain settings related to the license.
		137	{{/figure}}
		138
		139	; Allow automatic license update through external notifications
		140	: When this option is enabled, one can trigger a license update via an HTTP request to {{code language="text"}}http://example.com/formcycle/license/notify?key=LICENSE_KEY{{/code}}, where {{code language="text"}}http://example.com/formcycle{{/code}} should be replaced with the actual URL of the {{formcycle/}} server and //LICENSE_KEY// should be replaced with the license key of the license to update.