Data privacy notice

 

When this content is loaded, usage information is transmitted to Vimeo and may be processed there.

 

             

General

Modified on Tue, 21 Jan at 1:01 PM

The menu General allows the configuration of general formcycle settings like cache configurations or upload limits.


Contents


Configuration of general formcycle settings.


Security

HTTP Strict Transport Security (HSTS)



HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that prevents the connection encryption from being disabled by downgrade attacks, and also guards against session hijacking. If you need to support HTTP, enter 0 as the value.


Iframe integration


You can optionally whitelist third-party pages that should be allowed to include backend pages via iframes.


By default, formcycle blocks any attempts by third-party pages to include backend pages as iframes due to security concerns. In case it becomes necessary to include backend pages as an iframe, you can whitelist allowed third-party pages in this menu. The values you enter here are used for the frame-ancestors directive of the Content-Security-Policy HTTP header, see for example mdn web docs for an in-depth descrption of the allowed values.

Password policies

For configuration of system-wide password policies, see System-wide settings of the user administration.



Two-factor authentication

For configuration of system-wide settings for two-factor authentication, see Two-factor authentication.



Super user login

For configuration of the super user login, see System-wide settings of the user administration.



User profiles

For configuration of system-wide settings related to user profiles, see System-wide settings of the user administration.



User search

For configuration of the system-wide user search, see System-wide settings of the user administration.


Referrer policy



This header entry can be used to control which referrer information is passed on when performing a redirect to an external page. The referrer informs the external page about which page a user came from. Please note that privacy and security issues may arise when passing on the URL to the external page.


If possible, we recommend you make the settings for the session cookie as strict as possible and require HTTPS.


The session cookie identifies a user session and keeps track of the user while they are logged in. Here you can change whether the session cookie should be limited to HTTPS connections (Secure) and whether it should be transmitted to third-party sites (SameSite). We recommend you activate the Secure flag when you solely use HTTPS. Allowing the session cookie on third-party pages is necessary for some use cases such as embedding forms via AJAX into external pages.


Content-Security-Policy



Ermöglicht es, weitere Werte zum Content-Security-Policy-Header hinzuzufügen. Für Backend (Verwaltungsoberfläche, Designer, Postfach) und für Frontend (Webformulare) können verschiedene Werte hinterlegt werden.


Lets you add additional policies to the Content-Security-Policy header. Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. A primary goal of CSP is to mitigate and report XSS attacks. CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts.


For a list of available policies, see e.g. this Mozilla page.


Upload validation

8.1.0



The content type check ensure that the file content matches the file extension.


You can change the system-wide settings for validation uploads here. Affects all files that are uploaded, including the backend and web forms. There is no restriction on the type of files, i.e. all files are allowed. However, the validation ensures that the file content matches the file extension. For example, to upload PDF files, the file name must end with ".pdf" (or the uploaded file gets rejected). 


The content type check makes uses of the library Apache Tika, which already recognizes many file types reliably.


In most cases, you do not need to add any manual configuration. However, some special file types may not get recognized correctly.  In that case, you can adjust the settings in this section.


More precisely, the content type check works as follows. First, the system inspects the content of the uploaded file and determines its MIME type (e.g. "font/ttf"). Next, the system compares this recognized MIME type against the file extension (e.g. .ttf), by querying Apache Tika for a list of MIME types for the file extension (e.g. "font/ttf" and "application/x-font-ttf"). If there is a mismatch between the file content and the file extension, the system rejects the uploaded file.


Note: When the file gets detected as "text/plain", the system allows the file whenever the list of allowed content types contain a content type that starts with "text/". This is done because it is, in general, hard to distinguish between plain text files such as JavaScript, CSS, or SQL scripts based solely on their text content alone. 


Optionally, you can

  • allow unknown content types. Activating this option allows the upload of files whose file type is unknown in the system. Otherwise, uploads of unknown types are rejected. Specifically, when enabled, the system additionally allows a file when both of following hold true: (a) no content type could be detected; and (b) no allowed content types were defined for the file name extension.
  • define additional content types. For each extension (without a period), enter the expected content type for that file extension. To associate a file extension with multiple MIME types, add multiple rows with the same extension.


Protocol

Automatic deletion of protocol entries



Protocol entries  (from processes, clients, system) that are outdated can be deleted automatically. At a specified time of the day all protocol entries are deleted that are older than the specified number of days. By using the "clear now" button all protocol entries can also be deleted instantly. After the automatic deletion of protocol entries, a new protocol entry is created containing information about the amount of automatically deleted protocol entries. 


Generated protocol entries

These settings let you enable or disable certain types of protocol entries.

Add protocol entry when an automatic form submission by a bot was detected
FORMCYCLE tries to detect attempts by machines (bots) to submit forms automatically. When a bot was detected, the submission is blocked. If this option is enabled, a processing protocol entry is created.

Add protocol entry when attempting to submit a form with an invalid submit button
You can add buttons to a form that allows users to submit the form. Within the workflow, you can check whether a certain buttons was pressed and run certain actions depending on which button was pressed. Starting with version 7, it is possible to validate whether the submit button actually existed in the form, which helps prevent form records from being manipulated. If this option is enabled, a processing protocol entry is created when a form was submitted with an invalid submit button.

Limits

Form and file cache


You can change the form and file cache size, which may be necessary when you have got many forms , or you can deactivate the cache for testing purposes.



The file cache stores files used by the system, the form cache stores rendered HTML forms.

 Property Default value Explanation
Max disk size-1Maximum size in MB of what the form cache stores in the file system. No limit when set to -1. If set to 0, the file system is not used by the cache.
Max Heap size75Maximum size in MB of what the form cache stores in-memory. If set to 0, the in-memory form cache is disabled.
Time to idle0Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to 0 to disable.


 Property Default value Explanation
Max disk size-1Maximum size in MB of what the file cache stores in the file system. No limit when set to-1. If set to 0, the file system is not used by the cache.
Max heap size75Maximum size in MB of what the file cache stores in-memory. If set to 0, the in-memory file cache is disabled.
Time to idle0Time interval in seconds until an item in the form cache is removed when it is never accessed during that time interval. Set to 0 to disable.


System limits



 Property Default value Explanation
Disk usage threshold0This is the size threshold in bytes beyond which files are written directly to disk.
Limit per fileMaximum size in bytes for file uploads within forms. Applies to each file individually. Set to -1 or no value to disable. This settings applies to both form uploads as well as backend uploads.
Total upload limitThe total allowed size of simultaneously uploaded files. This setting does not apply when multiple files are uploaded individually. When the user submits a form, this is the maximum allowed post size. Set to -1 or no value to disable.
Maximum database query row count5000Maximum number of returned rows for a query to the database. Set to 0 to disable.
database field size limit0Maximum size in bytes when retrieving columns of type character (eg. char or varchar) or binary. Set to 0 to disable.


Configuration

Loopback URL



Some features (such as form preview images or PDF print) require the server to open a form. In cluster configurations or environments in which the internal and external domains are different, this parameter is used to configure the internal availability (e.g. http://localhost:8080/formcycle).

Automatic check for plugin updates



System and client plugins can be regularly checked for updates. The time and the check can be deactivated here. In addition, a check can be carried out manually via the button. If updates are available, notifications are visible in the notification area (bell symbol).


License

Here you can change certain settings related to the license.

Allow automatic license update through external notifications
When this option is enabled, one can trigger a license update via an HTTP request to http://example.com/formcycle/license/notify?key=LICENSE_KEY, where http://example.com/formcycle should be replaced with the actual URL of the FORMCYCLE server and LICENSE_KEY should be replaced with the license key of the license to update.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article