The menu General allows the configuration of general formcycle settings like cache configurations or upload limits.
Contents
Security
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that prevents the connection encryption from being disabled by downgrade attacks, and also guards against session hijacking. If you need to support HTTP, enter 0 as the value.
Iframe integration
By default, formcycle blocks any attempts by third-party pages to include backend pages as iframes due to security concerns. In case it becomes necessary to include backend pages as an iframe, you can whitelist allowed third-party pages in this menu. The values you enter here are used for the frame-ancestors directive of the Content-Security-Policy HTTP header, see for example mdn web docs for an in-depth descrption of the allowed values.
Password policies
For configuration of system-wide password policies, see System-wide settings of the user administration.
Two-factor authentication
For configuration of system-wide settings for two-factor authentication, see Two-factor authentication.
Super user login
For configuration of the super user login, see System-wide settings of the user administration.
User profiles
For configuration of system-wide settings related to user profiles, see System-wide settings of the user administration.
User search
For configuration of the system-wide user search, see System-wide settings of the user administration.
Referrer policy
This header entry can be used to control which referrer information is passed on when performing a redirect to an external page. The referrer informs the external page about which page a user came from. Please note that privacy and security issues may arise when passing on the URL to the external page.
Session cookie settings
The session cookie identifies a user session and keeps track of the user while they are logged in. Here you can change whether the session cookie should be limited to HTTPS connections (Secure) and whether it should be transmitted to third-party sites (SameSite). We recommend you activate the Secure flag when you solely use HTTPS. Allowing the session cookie on third-party pages is necessary for some use cases such as embedding forms via AJAX into external pages.
Content-Security-Policy
Ermöglicht es, weitere Werte zum Content-Security-Policy-Header hinzuzufügen. Für Backend (Verwaltungsoberfläche, Designer, Postfach) und für Frontend (Webformulare) können verschiedene Werte hinterlegt werden.
Lets you add additional policies to the Content-Security-Policy header. Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. A primary goal of CSP is to mitigate and report XSS attacks. CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts.
For a list of available policies, see e.g. this Mozilla page.
Upload validation
8.1.0
You can change the system-widget settings for validation uploads here.
When enabled, the system inspects the binary data of each uploaded file and detects the content type of that data, e.g. "image/png". Next, the system retrieves a list of allowed content type from the file's extension, e.g. "image/jpeg" and "image/jp2" when the file is named "image.jpg". Finally, the system compares the detected content type against the allowed content types. The file is rejected if the list of allowed content types do not contain the detected file type.
Note: When the file is detected as "text/plain", the system allows it whenever the list of allowed content types contain a content type that starts with "text/".
Optionally, you can
- allow unknown content types. Activating this option allows the upload of files whose file type is unknown in the system. Otherwise, uploads of unknown types are rejected. Specifically, when enabled, the system additionally allows a file when both of following hold true: (a) no content type could be detected; and (b) no allowed content types were defined for the file name extension.
- define additional content types. For each extension (without a period), enter the expected content type for that file extension.
Protocol
Automatic deletion of protocol entries
Protocol entries (from processes, clients, system) that are outdated can be deleted automatically. At a specified time of the day all protocol entries are deleted that are older than the specified number of days. By using the "clear now" button all protocol entries can also be deleted instantly. After the automatic deletion of protocol entries, a new protocol entry is created containing information about the amount of automatically deleted protocol entries.
Generated protocol entries
Add protocol entry when an automatic form submission by a bot was detected- FORMCYCLE tries to detect attempts by machines (bots) to submit forms automatically. When a bot was detected, the submission is blocked. If this option is enabled, a processing protocol entry is created.
Add protocol entry when attempting to submit a form with an invalid submit button- You can add buttons to a form that allows users to submit the form. Within the workflow, you can check whether a certain buttons was pressed and run certain actions depending on which button was pressed. Starting with version 7, it is possible to validate whether the submit button actually existed in the form, which helps prevent form records from being manipulated. If this option is enabled, a processing protocol entry is created when a form was submitted with an invalid submit button.
Limits
Form and file cache
The file cache stores files used by the system, the form cache stores rendered HTML forms.
Property | Default value | Explanation |
---|---|---|
Max disk size | -1 | Maximum size in MB of what the form cache stores in the file system. No limit when set to -1. If set to 0, the file system is not used by the cache. |
Max Heap size | 75 | Maximum size in MB of what the form cache stores in-memory. If set to 0, the in-memory form cache is disabled. |
Time to idle | 0 | Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to 0 to disable. |
Property | Default value | Explanation |
---|---|---|
Max disk size | -1 | Maximum size in MB of what the file cache stores in the file system. No limit when set to-1. If set to 0, the file system is not used by the cache. |
Max heap size | 75 | Maximum size in MB of what the file cache stores in-memory. If set to 0, the in-memory file cache is disabled. |
Time to idle | 0 | Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to 0 to disable. |
System limits
Property | Default value | Explanation |
---|---|---|
Disk usage threshold | 0 | This is the size threshold in bytes beyond which files are written directly to disk. |
Limit per file | Maximum size in bytes for file uploads within forms. Applies to each file individually. Set to -1 or no value to disable. This settings applies to both form uploads as well as backend uploads. | |
Total upload limit | The total allowed size of simultaneously uploaded files. This setting does not apply when multiple files are uploaded individually. When the user submits a form, this is the maximum allowed post size. Set to -1 or no value to disable. | |
Maximum database query row count | 5000 | Maximum number of returned rows for a query to the database. Set to 0 to disable. |
database field size limit | 0 | Maximum size in bytes when retrieving columns of type character (eg. char or varchar) or binary. Set to 0 to disable. |
Configuration
Loopback URL
Some features (such as form preview images or PDF print) require the server to open a form. In cluster configurations or environments in which the internal and external domains are different, this parameter is used to configure the internal availability (e.g. http://localhost:8080/formcycle).
Automatic check for plugin updates
System and client plugins can be regularly checked for updates. The time and the check can be deactivated here. In addition, a check can be carried out manually via the button. If updates are available, notifications are visible in the notification area (bell symbol).
License
Allow automatic license update through external notifications- When this option is enabled, one can trigger a license update via an HTTP request to http://example.com/formcycle/license/notify?key=LICENSE_KEY, where http://example.com/formcycle should be replaced with the actual URL of the FORMCYCLE server and LICENSE_KEY should be replaced with the license key of the license to update.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article