Security¶
This section provides a centralized interface for configuring the overall security settings of the application. Administrators can enable or disable various security procedures, establish password policies, manage file upload permissions, and configure time-stamping server details.
Details¶
SSL Options¶
This subsection allows for the configuration of Secure Sockets Layer (SSL) options.
Force SSL?¶
This setting enforces the exclusive use of the SSL protocol. When enabled, all non-SSL (HTTP) connections are automatically redirected to their secure SSL (HTTPS) counterparts.
Certificate Password¶
This field requires the password for the SSL certificate. It is only necessary if an SSL certificate has been added.
Certificate¶
Paste the content of your SSL certificate into this area. The certificate must be in PFX format, and its corresponding password must be provided in the Certificate Password
field.
Warning
For optimal compatibility with mobile devices, it is imperative to ensure that the entire certificate chain (including the SSL certificate and all intermediate issuer certificates) is packaged within the PFX format. Failure to do so may result in validation errors on certain mobile devices, preventing successful SSL certificate validation.
User Sessions¶
Single Session¶
This option restricts users to a single active session at any given time. When enabled, users are prevented from simultaneously logging into the application from multiple devices.
Use Session Cookie¶
This setting determines whether a session cookie will be utilized.
By default, Emakin employs both local storage and session cookies to mitigate Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. Both tokens must correlate to validate the session's integrity.
It is important to note that some browsers, particularly those in "do-not-track" mode, may block the storage of cookies due to privacy considerations. This can lead to Emakin login failures. Enabling this setting disables all cookie usage, causing all session information to be stored exclusively in the browser's local storage.
Login Token Expiration¶
This parameter defines the maximum validity period for login tokens. These tokens are used for authentication methods such as email-based or integration-based logins. After this period, the login token becomes invalid and can no longer be used for authentication.
For instance, the "Forgot Password" feature utilizes this setting, and the generated email authentication link will remain valid for the specified duration.
Bearer Token Expiration¶
This parameter specifies the duration of a user session. These tokens are critical for session control and are automatically renewed in the background just prior to their expiration to maintain continuous user access.
Authentication Storage¶
This setting determines where generated bearer tokens are stored within the browser:
- Local Storage: Sessions persisted in local storage remain active until the user explicitly logs off or the token's expiration period is reached.
- Session Storage: Sessions stored in session storage are automatically terminated when the browser window is closed.
Audit Log¶
Retention Duration¶
This parameter specifies the number of days for which audit log entries are retained in the database. The default retention period is 180 days.
Password Policy¶
This section enforces a password policy specifically for built-in authentication methods utilizing the Emakin login service.
Minimum Password Length¶
Defines the minimum number of characters required for a user's password.
Minimum Upper Case (A..Z) Letters¶
Specifies the minimum number of uppercase letters (A-Z) that must be included in a password.
Minimum Numeric (0..9) Letters¶
Specifies the minimum number of numeric characters (0-9) that must be included in a password.
Minimum Lower Case (a..z) Letters¶
Specifies the minimum number of lowercase letters (a-z) that must be included in a password.
Required Chars¶
Allows for the entry of specific characters that must be present in the password.
Files¶
Antivirus Service URL¶
Specifies the URL for the antivirus scanner service.
Currently, only https://www.clamav.net/ is supported. An example service URL can be provided as tcp://hostname:3310
.
The antivirus definition database is updated from https://database.clamav.net
. It is essential to ensure that ClamAV has connectivity to this URL before enabling the antivirus feature.
Allowed File Types¶
This setting provides control over the types of files that users can upload into the application. Exercise caution when configuring this section: specifying file types under "Allowed" will exclusively permit those types, while specifying types under "Denied" will prevent the upload of those types, permitting all others.
Extension¶
Specify the file extension (e.g., pdf
, docx
) for the file type you wish to allow or deny.
Mime Type¶
Specify the MIME type (e.g., application/pdf
, application/vnd.openxmlformats-officedocument.wordprocessingml.document
) for the file type you wish to allow or deny.
If not explicitly configured, Emakin enforces a default policy that denies the upload of the following file types:
Default Denied File Extensions:
- htm, html
- exe, dll, app, jar
- asp, aspx, php, jsp
- bat, cmd, sh, cgi
- js, vb, vbs, wsf, wsc, wsh
- htaccess, lnk, url
Default Denied MIME Types:
- text/html
- image/svg+xml
- application/vnd.wap.xhtml+xml
- application/x-xpinstall
- application/x-shockwave-flash
- application/javascript
- application/x-bsh, application/x-sh, application/x-shar, text/x-script.sh
- text/php, text/x-php, application/php, application/x-php, application/x-httpd-php, application/x-httpd-php-source
- application/x-dosexec, application/x-msdownload, application/exe, application/x-exe, application/dos-exe, vms/exe, application/x-winexe, application/msdos-windows, application/x-msdos-program
Time Stamping¶
This section is dedicated to configuring connection information for time-stamping servers, which are utilized by electronic signature applications (e.g., Kolay İmza).
TimeStamp Url¶
The URL of the time-stamping server.
Timestamp Server User¶
The username required for authentication with the time-stamping server.
Timestamp Server Password¶
The password required for authentication with the time-stamping server.
Data Encryption¶
This section governs the application's data encryption preferences. By default, form data and the content of uploaded files are stored in the database without encryption. This allows database administrators to easily access unencrypted user data.
When data encryption is enabled, all user data contained within forms and uploaded files is stored in an encrypted format. This ensures that even with direct database access, system administrators cannot decrypt the stored information.
It is important to note that when encryption is enabled, pre-existing data stored without encryption will remain unencrypted. Only newly stored data will be encrypted. Conversely, if encryption is subsequently disabled, you will still retain access to previously encrypted data, but any new data will be stored without encryption.
Encrypt Form Data¶
Enables or disables the encryption of form data.
Encrypt Files¶
Enables or disables the encryption of uploaded file contents.