Security settings

General information

On this page we listed the parameters and recommendations that may affect the security of various Passwork infrastructure components (web server, PHP, database, etc.). Setting maximum values is not always recommended, as it may make Passwork less convenient for end users, as well as cause compatibility issues with older operating systems and components.

warning

Change the values as recommended by Passwork technical support

PHP settings (php.ini)

Parameter name	Value	Important	Comment
expose_php	Off	Yes	Hides PHP version in web server response headers.
display_errors	Off	Yes	Disables the output of PHP error information. Should always be Off, as all errors are written to log files.
post_max_size	10MB		Limits the maximum size of data received from the client, which protects against DOS attacks.
max_execution_time	120 to 600		Maximum script execution time (in seconds).
max_input_time	120		Maximum time to read data from the client (in seconds).
memory_limit	256MB to 2GB		Maximum amount of RAM that the script can use.
max_input_vars	1000		Number of parameters in POST request. You can increase it if you have problems with importing large CSV or JSON files.
session.cookie_lifetime	0		When set to 0, the browser does not store cookies and clears them on restart.
session.use_only_cookies	On	Yes	The session IDs will only be sent through cookies.
session.use_strict_mode	On	Yes	PHP will not accept cookies with a session number that is set by the user and not issued by PHP. Protects against session fixation attacks.
session.cookie_httponly	On	Yes	Denies access to cookies from JavaScript.
session.cookie_secure	On	Yes	Cookies will only be accessible via HTTPS.
session.use_trans_sid	Off	Yes	Prohibits the session ID from being sent via GET parameters.
session.cache_limiter	nocache		Disables the cache.
session.sid_length	22 to 256	Yes	Sets the length of a session ID. A longer number protects the session from being overridden.
session.sid_bits_per_character	5	Yes	Maximum character variation in session ID. '4' (0-9, a-f), '5' (0-9, a-v), '6' (0-9, a-z, A-Z, "-", ","). The value 6 is not supported.
session.cookie_domain			If a single domain name is used, it can be specified in this parameter.

Web server

Configuring SSL

warning

For the production environment it is mandatory to configure operation over HTTPS

Leave support for TLS 1.2 and 1.3 only:

ssl_protocols TLSv1.2 TLSv1.3;

Recommended set of cryptographic algorithms (older operating systems and browsers such as IE6 or Windows XP are not supported):

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

HTTP Strict Transport Security

The HTTP Strict Transport Security extension is designed to support This site works only via HTTPS setting in browsers.

It is no longer possible to attack such a resource using a man-in-the-middle attack, because in case of certificate substitution the browser will immediately close the connection and will not allow you to continue using the forged certificate.

The max-age parameter specifies for how many seconds the HSTS header should be cached in the browser. It is recommended to set it at 31536000 (1 year) or higher.

add_header Strict-Transport-Security max-age=31536000;

Setting up Passwork

add_header Public-Key-Pins 'pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; max-age=1512000';

Configuring security settings in config.ini

Parameter name	Value	Comment
[crypt] section
secret	Do not change manually.	Server database encryption key. Generated automatically at the first Passwork launch
disableClientSide	Switch to Off if necessary.	Toggles clientside encryption. Set to On by default.
algorithm	Recommended to leave unchanged.	You can specify an encryption algorithm from the OpenSSL library.
source		Example config/config.ini … [crypt] source = key.ini … config/key.ini [crypt] secret = base64:….
[application] section
csrf	On	Sends a CSRF token for every AJAX request.
disableEncodeResponse	Do not specify.	By default the server encodes all client data in base64. The value On disables this mode (for debugging only).
[mongo] section
source		Allows you to put the connection string in a separate file config/config.ini … [mongo] source = mongo.ini … config/mongo.ini [mongo] connectionString = mongodb://db dbname = production …
Without section
devmode	Do not specify.	Enables debugging mode

Passwork system parameters

Parameter name	Value	Comment
Additional protection and cookie signatures	Enable	PHP session cookies are signed using entropy and data from the HTTP request header, including the user's IP. This increases protection against session hijacking and transfer of cookies between browsers. The session will automatically close when a user's IP gets changed.
Mandatory two-factor authentication	Enable	All users will be required to configure 2FA before joining.
CSRF token lifetime after last activity	24	Set in hours.
API key rotation	Enable	All client applications will automatically lose the session and require logging in again.
Self-recovery of authorisation password	Forbidden	Only Passwork administrator will be able to reset a user's authorisation password
Automatic logout when inactive		Passwork will automatically log users out if no requests come.
Using API		Allows you to disable the use of API. All client applications (mobile applications, browser extensions) use API. With the API disabled, the user will only be able to log in to the desktop version.