Skip to content

Security

This section provides a centralized interface for configuring the overall security settings of the application. Administrators can enable or disable various security procedures, establish password policies, manage file upload permissions, and configure time-stamping server details.

Details

SSL Options

This subsection allows for the configuration of Secure Sockets Layer (SSL) options.

SSL Options Configuration

Force SSL?

This setting enforces the exclusive use of the SSL protocol. When enabled, all non-SSL (HTTP) connections are automatically redirected to their secure SSL (HTTPS) counterparts.

Certificate Password

This field requires the password for the SSL certificate. It is only necessary if an SSL certificate has been added.

Certificate

Paste the content of your SSL certificate into this area. The certificate must be in PFX format, and its corresponding password must be provided in the Certificate Password field.

Warning

For optimal compatibility with mobile devices, it is imperative to ensure that the entire certificate chain (including the SSL certificate and all intermediate issuer certificates) is packaged within the PFX format. Failure to do so may result in validation errors on certain mobile devices, preventing successful SSL certificate validation.

User Sessions

User Sessions Configuration

Single Session

This option restricts users to a single active session at any given time. When enabled, users are prevented from simultaneously logging into the application from multiple devices.

This setting determines whether a session cookie will be utilized.

By default, Emakin employs both local storage and session cookies to mitigate Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. Both tokens must correlate to validate the session's integrity.

It is important to note that some browsers, particularly those in "do-not-track" mode, may block the storage of cookies due to privacy considerations. This can lead to Emakin login failures. Enabling this setting disables all cookie usage, causing all session information to be stored exclusively in the browser's local storage.

Login Token Expiration

This parameter defines the maximum validity period for login tokens. These tokens are used for authentication methods such as email-based or integration-based logins. After this period, the login token becomes invalid and can no longer be used for authentication.

For instance, the "Forgot Password" feature utilizes this setting, and the generated email authentication link will remain valid for the specified duration.

Bearer Token Expiration

This parameter specifies the duration of a user session. These tokens are critical for session control and are automatically renewed in the background just prior to their expiration to maintain continuous user access.

Authentication Storage

This setting determines where generated bearer tokens are stored within the browser:

  • Local Storage: Sessions persisted in local storage remain active until the user explicitly logs off or the token's expiration period is reached.
  • Session Storage: Sessions stored in session storage are automatically terminated when the browser window is closed.

Audit Log

Retention Duration

This parameter specifies the number of days for which audit log entries are retained in the database. The default retention period is 180 days.

Password Policy

This section enforces a password policy specifically for built-in authentication methods utilizing the Emakin login service.

Password Policy Configuration

Minimum Password Length

Defines the minimum number of characters required for a user's password.

Minimum Upper Case (A..Z) Letters

Specifies the minimum number of uppercase letters (A-Z) that must be included in a password.

Minimum Numeric (0..9) Letters

Specifies the minimum number of numeric characters (0-9) that must be included in a password.

Minimum Lower Case (a..z) Letters

Specifies the minimum number of lowercase letters (a-z) that must be included in a password.

Required Chars

Allows for the entry of specific characters that must be present in the password.

Files

Antivirus Service URL

Specifies the URL for the antivirus scanner service.

Currently, only https://www.clamav.net/ is supported. An example service URL can be provided as tcp://hostname:3310.

The antivirus definition database is updated from https://database.clamav.net. It is essential to ensure that ClamAV has connectivity to this URL before enabling the antivirus feature.

Allowed File Types

This setting provides control over the types of files that users can upload into the application. Exercise caution when configuring this section: specifying file types under "Allowed" will exclusively permit those types, while specifying types under "Denied" will prevent the upload of those types, permitting all others.

Allowed/Denied File Types Configuration

Extension

Specify the file extension (e.g., pdf, docx) for the file type you wish to allow or deny.

Mime Type

Specify the MIME type (e.g., application/pdf, application/vnd.openxmlformats-officedocument.wordprocessingml.document) for the file type you wish to allow or deny.

If not explicitly configured, Emakin enforces a default policy that denies the upload of the following file types:

Default Denied File Extensions:

  • htm, html
  • exe, dll, app, jar
  • asp, aspx, php, jsp
  • bat, cmd, sh, cgi
  • js, vb, vbs, wsf, wsc, wsh
  • htaccess, lnk, url

Default Denied MIME Types:

  • text/html
  • image/svg+xml
  • application/vnd.wap.xhtml+xml
  • application/x-xpinstall
  • application/x-shockwave-flash
  • application/javascript
  • application/x-bsh, application/x-sh, application/x-shar, text/x-script.sh
  • text/php, text/x-php, application/php, application/x-php, application/x-httpd-php, application/x-httpd-php-source
  • application/x-dosexec, application/x-msdownload, application/exe, application/x-exe, application/dos-exe, vms/exe, application/x-winexe, application/msdos-windows, application/x-msdos-program

Time Stamping

This section is dedicated to configuring connection information for time-stamping servers, which are utilized by electronic signature applications (e.g., Kolay Ä°mza).

Time Stamping Configuration

TimeStamp Url

The URL of the time-stamping server.

Timestamp Server User

The username required for authentication with the time-stamping server.

Timestamp Server Password

The password required for authentication with the time-stamping server.

Data Encryption

This section governs the application's data encryption preferences. By default, form data and the content of uploaded files are stored in the database without encryption. This allows database administrators to easily access unencrypted user data.

When data encryption is enabled, all user data contained within forms and uploaded files is stored in an encrypted format. This ensures that even with direct database access, system administrators cannot decrypt the stored information.

It is important to note that when encryption is enabled, pre-existing data stored without encryption will remain unencrypted. Only newly stored data will be encrypted. Conversely, if encryption is subsequently disabled, you will still retain access to previously encrypted data, but any new data will be stored without encryption.

Encrypt Form Data

Enables or disables the encryption of form data.

Encrypt Files

Enables or disables the encryption of uploaded file contents.