Skip to main content
This documentation is for Passwork version 6.0, no longer supported.

See documentation for version 7.0.
Version: 6.0

Security settings

General information

On this page we listed the parameters and recommendations that may affect the security of various Passwork infrastructure components (web server, PHP, database, etc.). Setting maximum values is not always recommended, as it may make Passwork less convenient for end users, as well as cause compatibility issues with older operating systems and components.

warning

Change the values as recommended by Passwork technical support

PHP settings (php.ini)

Parameter name

Value

Important

Comment

expose_php

Off

Yes

Hides PHP version in web server response headers.

display_errors

Off

Yes

Disables the output of PHP error information. Should always be Off, as all errors are written to log files.

post_max_size

10MB

Limits the maximum size of data received from the client, which protects against DOS attacks.

max_execution_time

120 to 600

Maximum script execution time (in seconds).

max_input_time

120

Maximum time to read data from the client (in seconds).

memory_limit

256MB to 2GB

Maximum amount of RAM that the script can use.

max_input_vars

1000

Number of parameters in POST request. You can increase it if you have problems with importing large CSV or JSON files.

session.cookie_lifetime

0

When set to 0, the browser does not store cookies and clears them on restart.

session.use_only_cookies

On

Yes

The session IDs will only be sent through cookies.

session.use_strict_mode

On

Yes

PHP will not accept cookies with a session number that is set by the user and not issued by PHP. Protects against session fixation attacks.

session.cookie_httponly

On

Yes

Denies access to cookies from JavaScript.

session.cookie_secure

On

Yes

Cookies will only be accessible via HTTPS.

session.use_trans_sid

Off

Yes

Prohibits the session ID from being sent via GET parameters.

session.cache_limiter

nocache

Disables the cache.

session.sid_length

22 to 256

Yes

Sets the length of a session ID. A longer number protects the session from being overridden.

session.sid_bits_per_character

5

Yes

Maximum character variation in session ID. '4' (0-9, a-f), '5' (0-9, a-v), '6' (0-9, a-z, A-Z, "-", ","). The value 6 is not supported.

session.cookie_domain

If a single domain name is used, it can be specified in this parameter.

Web server

Configuring SSL

warning

For the production environment it is mandatory to configure operation over HTTPS

Leave support for TLS 1.2 and 1.3 only:

ssl_protocols TLSv1.2 TLSv1.3;

Recommended set of cryptographic algorithms (older operating systems and browsers such as IE6 or Windows XP are not supported):

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

HTTP Strict Transport Security

The HTTP Strict Transport Security extension is designed to support This site works only via HTTPS setting in browsers.

It is no longer possible to attack such a resource using a man-in-the-middle attack, because in case of certificate substitution the browser will immediately close the connection and will not allow you to continue using the forged certificate.

The max-age parameter specifies for how many seconds the HSTS header should be cached in the browser. It is recommended to set it at 31536000 (1 year) or higher.

add_header Strict-Transport-Security max-age=31536000;

Setting up Passwork

add_header Public-Key-Pins 'pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; max-age=1512000';

Configuring security settings in config.ini

Parameter name

Value

Comment

[crypt] section

secret

Do not change manually.

Server database encryption key. Generated automatically at the first Passwork launch

disableClientSide

Switch to Off if necessary.

Toggles clientside encryption. Set to On by default.

algorithm

Recommended to leave unchanged.

You can specify an encryption algorithm from the OpenSSL library.

source

Example config/config.ini … [crypt] source = key.ini …

config/key.ini [crypt] secret = base64:….

[application] section

csrf

On

Sends a CSRF token for every AJAX request.

disableEncodeResponse

Do not specify.

By default the server encodes all client data in base64. The value On disables this mode (for debugging only).

[mongo] section

source

Allows you to put the connection string in a separate file config/config.ini … [mongo] source = mongo.ini …

config/mongo.ini [mongo] connectionString = mongodb://db

dbname = production …

Without section

devmode

Do not specify.

Enables debugging mode

Passwork system parameters

Parameter name

Value

Comment

Additional protection and cookie signatures

Enable

PHP session cookies are signed using entropy and data from the HTTP request header, including the user's IP. This increases protection against session hijacking and transfer of cookies between browsers. The session will automatically close when a user's IP gets changed.

Mandatory two-factor authentication

Enable

All users will be required to configure 2FA before joining.

CSRF token lifetime after last activity

24

Set in hours.

API key rotation

Enable

All client applications will automatically lose the session and require logging in again.

Self-recovery of authorisation password

Forbidden

Only Passwork administrator will be able to reset a user's authorisation password

Automatic logout when inactive

Passwork will automatically log users out if no requests come.

Using API

Allows you to disable the use of API. All client applications (mobile applications, browser extensions) use API. With the API disabled, the user will only be able to log in to the desktop version.