Environment Administration

Estimated Reading Time:  20 minutes

Overview

Environment Administration is where you can customize environment-related settings. For example, you can set up performance tracking, customize the site name, or set password requirements. Environment Administration is where you'll make all changes and customizations to your environment.

Environment Levels in Unqork

Environment levels (or stages) in Unqork support each phase of building and rendering applications. As customer applications advance through development, they generally pass through the following levels:

  Environment Level Description Codebase

1

Staging

Where Unqork Creators Also known as Unqork Users, or Designer Users; is anyone who is inside the Unqork platform. configure applications. This non-production environment level hosts test data only. This level is where you prepare updates before promoting to QA for testing.

Unqork hosts the Staging environment internally. Staging offers both a Designer and Express View interface.

Staging

2

Quality Assurance (QA)

Where Unqork Creators test and verify processes, artifacts, and ensure applications are built using best practices. This non-production environment level hosts test data only.

Unqork hosts the QA environment internally. QA offers both a Designer and Express View interface.

QA

3

User Acceptance Testing (UAT)

Where the Creators and end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. can view the latest build. Use this environment level to test your application's end-user experience. This non-production environment hosts test data only.

Unqork hosts the UAT environment internally. UAT offers both a Designer and Express View interface.

UAT

4

Production

This is the live application and the only environment level where end-users can access it. This level is also the only environment to host live client data.

IMPORTANT  Following SDLC best practices, development should never take place in Production.

Production

NOTE  Additional environments can also include Pre-Production (Pre-Prod) environment levels. Pre-Prod environments use the Production codebase. The progression order is Staging, QA, UAT, Pre-prod, and Production. Client leads decide the number of environments to use when developing a customer application.

TIP  To learn more about environment stages, including the release process for platform updates, view our Software Development Life Cycle Processes article.

What You'll Learn

In this article, you'll learn about the organization of the Environment Administration page and how to customize your environment.

Accessing Environment Administration

To access the Environment Administration page:

1. At the top right of the Unqork Designer Platform, click Settings ▾.
2. Click Administration.
3. Under Environment, select Environment Administration.

A static image displaying Unqork's Environment Administration.

After accessing the page, you'll see various settings and options you can use to customize your environment. The remainder of this article navigates you through these settings and teaches you how to use them.

Environment Administration Organization

This administration page is organized into twelve sections. Each section focuses on specific settings you can enable and disable to customize your environment. Click on the links below to navigate to a specific section of the article:

General

Google Tag Manager

Unqork API

Authentication

API Rate Limiting

Execution Limit

Express Session Administration

Express Content Security Policy (CSP)

Offline Mode

User Account Lockout

Express User Account Password

Component Security

General

This section focuses on the general settings you can use to customize your environment. These settings include creating a site name, enabling custom login and logout modules, and determining if you want to capture all request and response bodies. Click the links below to navigate to a setting, understand its purpose, and learn how to use it.

Site Name

Hide Preview Bar by Default

PagerDuty Key

Enable Custom Login/Logout Modules

Default Module

Server-Side Execution Request/Response Body Log

Server-Side Execution Debug Log

Number of Days to Keep Tracker Records

Site Name

After setting up a site name, it displays in your browser tab. In the Site Name field, enter the name you want to display. Then, scroll to the bottom of the page and click Save Changes.

A static image displaying the Site Name field and the result on the browser tab.

Hide Preview Bar by Default

In Express View, a preview bar displays at the top right of the screen. The preview bar lets you preview your application as a different role or with different styles.

A static image displaying the Preview bar in Express View.

While you can manually hide or remove the preview bar in Express View Express View is how your end-user views you application. Express View also lets you preview your applications to test your configuration and view the styling. This is also the view your end-users will see when interacting with your application. After configuring a module, click Preview in the Module Builder to interact with the module in Express View., this setting keeps it hidden regardless. The reasons for hiding the preview bar include:

To hide the preview bar in Express View:

1. To the right of the Hide Preview Bar by Default setting, click .
2. At the bottom of the page, click Save Changes.

To display it again in Express View, uncheck the box and save your changes.

PagerDuty Key

You can use PagerDuty integration to receive alerts about server-side execution failures. When configured, PagerDuty sends alerts when errors occur in your Unqork application and provide details in the Unqork service logs.

IMPORTANT  To use the PagerDuty integration, you must have a PagerDuty account.

To set up PagerDuty integration with Unqork:

1. Set up a PagerDuty service, using the instructions at the following link: https://support.pagerduty.com/docs/services-and-integrations.
2. When setting up the service, select Use our API Directly then Events API v2. PagerDuty generates an API key you can use in Unqork.
3. In the Environment Administration PagerDuty Key field, enter your API key.
4. At the bottom of the page, click Save Changes.

TIP  You can also set up PagerDuty alerts for individual services in your application. To learn more, view our Services Administration article.

Enable Custom Login/Logout Modules

When enabled, this setting lets you connect or disconnect login and logout modules to applications. Disable the setting to prevent login and modules from being connected or disconnected to applications.

To allow login and logout modules to be connected to applications:

1. To the left of the Enable Custom Login/Logout Modules setting, click .
2. At the bottom of the page, click Save Changes.

Default Module

The default module is the landing page of your environment. When someone enters your site's URL into the browser, this is the first page they see. Without a default module, end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. see an Error 404 page. You can only set one default module for your environment.

To set your default module:

1. From the Default Module drop-down, select a module.
2. At the bottom of the page, click Save Changes.

Server-Side Execution Request/Response Body Log

Remote execution, also called server-side execution, is a best practice for application security. Users with Designer access can see server-side execute logs at the following endpoint: https://{your-environment}.unqork.io/fbu/uapi/logs/services?type=remoteExecute.

The Server Side Execution Request/Response Body Log setting lets you choose what the log captures. You can select one of the following options:

  • Capture all request/response bodies.

  • Do not capture request/response bodies.

  • Capture request/response bodies on failure.

To adjust what request and response bodies the log captures:

1. From the Server Side Execution Request/Response Body Log drop-down, select an option.
2. At the bottom of the page, click Save Changes.

TIP  For more tips on using the Server-Side Execution Request/Response Body Log setting, view the Best Practices section of this article.

Server-Side Execution Debug Log

The Server-Side Execution Debug Log setting captures server-side execution requests and lets you enable debug logging

You can select one of the following options:

  • Never capture debug logging (default)

  • Always capture debug logging

WARNING  Enabling this feature might degrade application environment health and performance over time.

To enable server-side execution debug logs:

1. From the Server-Side Execution Debug Log drop-down, select an option.
2. At the bottom of the page, click Save Changes.

TIP  For more tips on using the Server-Side Execution Debug Log setting, view the Best Practices section of this article.

Number of Days to Keep Tracker Records

Unqork creates tracker records when a module's tracker feature is enabled. These records capture the actions of end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. that interact with your module. Over time, this data grows and becomes expensive to store. To solve this problem, set the number of days to keep tracker records. After that set number of days, Unqork deletes tracker data from the database.

To set the number of days to keep tracker records:

1. In the No of Days to Keep Tracker Records field, enter the number days to store the records. Leaving this field blank means that tracker records do not expire.
2. At the bottom of the page, click Save Changes.

Google Tag Manager

Unqork supports integration with Google Tag Manager for Google Analytics tag configurations. You can use tags for several purposes, including:

TIP  You can also use Google Tag Manager to add custom scripts to your application. To learn more, view our Environment Administration: Adding Custom Script Using Google Tag Manager.

The Google Tag Manager section of the Environment Administration page includes three fields:

  • GTM Container ID

  • GTM Environment Authentication

  • GTM Environment Preview

Only use the GTM Environment Authentication and GTM Environment Preview settings if you have multiple environments set up in Google Tag Manager. To learn more about environments in Google Tag Manager, see Google Tag Manager's Environments article : https://support.google.com/tagmanager/answer/6311518/environments?hl=en.

Another solution for running different tags in different Unqork environments is to create one Tag Container for each Unqork environment. Then, add the environment-specific Container ID to each environment's Environment Administration page.

To set up Google Tag Manager integration in Unqork:

1. In the GTM Container ID field, enter your Container ID.

TIP  When you create a new Tag Container, Google Tag Manager prompts you to copy and paste the Tag Manager Snippet Script to every page of your website. Unqork performs this step for you. You only need to add the Container ID to your environment once.

2. At the bottom of the page, click Save Changes.

Unqork API

Unqork has its own API APIs (application programming interfaces) are a set of protocols and definitions developers use to build and integrate application software. APIs act as the connective tissue between products and services. (application programming interface) that lets you request and send data between systems. But, to use it, you must have an access token.

By enabling OAuth2 Password Grant in Environment Administration, your Unqork users can obtain an access token using their login credentials and make API calls.

To enable OAuth2 Password Grant:

1. To the right of the Enable OAuth2 Password Grant setting, click .
2. At the bottom of the page, click Save Changes.

TIP  For more tips on using the Enable OAuth2 Password Grant setting, view the Best Practices section of this article.

Authentication

This section focuses on the authentication settings you can use to customize your environment. These settings include username and password requirements, anonymous user access, and SAML and OIDC configuration. Click the links below to navigate to a setting, understand its purpose, and learn how to use it.

Username & Password

Anonymous Access

SAML

OIDC

TIP  To learn more about SSO (Single Sign-On), SAML, and OIDC authentication, view our Single Sign-On (SSO) Management articles.

Username & Password

This section focuses on the username and password settings you can use to customize your environment. These settings include disabling your environment's login page, enforce password resets, and requiring specific characters and character length when users create a password.

Disable Login Screen

The Disable Login Screen setting prevents users from logging into Designer or Express View. This is helpful for administrators who plan to use login methods, like SSO (Single Sign-on). Enabling the Disable Login Screen setting sends users to a 403 - Access Denied page.

To enable the Disable Login Screen setting:

1. To the right of the Disable Login Screen setting, click .
2. At the bottom of the page, click Save Changes.

Password Requirements

To customize your environment's password requirements, use the following settings in this section. Then, save your changes.

Option Description

Enter No of Days to Enforce Password Reset

Set the number of days to enforce end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. to reset their password. The number must be a numerical value greater than 0. For example, you'll enter 5 instead of five.

Minimum Length

Set the minimum character length for an end-user's password. You can enter between 8 and 64. This option defaults to 8.

Maximum Length

Set the maximum character length for an end-user's password. You can enter between 8 and 64. This option defaults to 64.

Require Lowercase Letter

Select this checkbox if you want your end-user's password to have at least 1 lowercase letter.

Require Uppercase Letter

Select this checkbox if you want your end-user's password to have at least 1 uppercase letter.

Require Number

Select this checkbox if you want your end-user's password to have at least 1 integer.

Require Symbol

Select this checkbox if you want your end-user's password to have at least 1 symbol.

NOTE  When you set password reset rules in your environment, they don't apply to Service users. Service users can create user credentials for API calls and authorizations. Service users access server-side logic instead of the front-end of your application. Password reset rules only apply to regular Express end-users.

TIP  For more tips on using the Password Requirements settings, view the Best Practices section of this article.

Anonymous Access

The Disable Anonymous Access setting prevents unauthenticated users from accessing your applications. Disabling anonymous access allows for internal testing without exposing applications to the public. Enable the Disable Anonymous Access setting to redirect unauthenticated users to the login screen. Creators Also known as Unqork Users, or Designer Users; is anyone who is inside the Unqork platform. and administrators accessing anonymous modules also redirect to the login screen for authentication. Creators and administrators can then use Designer permissions to simulate an anonymous user.

IMPORTANT  This setting is incompatible with custom login and logout modules.

To enable the Disable Anonymous Access setting:

3. To the left of the Disable Anonymous Access setting, click .
4. At the bottom of the page, click Save Changes.

SAML

SAML (Security Assertion Markup Language) is one of the SSO methods Unqork supports. To learn more about using SAML for SSO, view our Unqork as a SAML Service Provider article.

Provider-Specific How-to Guides: Express View (SAML)

Provider-Specific How-to Guides: Designer (SAML)

OIDC

OIDC (OpenID Connect) is one of the SSO methods Unqork supports. To learn more about using OIDC for SSO, view our OpenID Connect (OIDC)  article.

Provider-Specific How-to Guides: Express View (OIDC)

API Rate Limiting

Administrators can limit the number of requests made per minute by the same end-user End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product.. API Rate Limiting minimizes security risk and improves performance. Limiting the number of requests per IP address decreases traffic from Bad Actors A bad actor is a cybercriminal or organization that might attempt to exploit vulnerabilites in your environment or application. Common exploits used by bad actors include XSS (cross-site scripting) attacks, malware, randsomware, and more.. The Number of Requests per IP Address setting lets you limit the number of requests from each IP address per server per 60 seconds.

To limit the number of requests per IP address:

1. In the Number of Requests per IP Address field, enter an integer. The minimum is 100 and the maximum is 1000000.
2. At the bottom of the page, click Save Changes.

TIP  For more tips on using the API Rate Limiting setting, view the Best Practices section of this article.

Execution Limit

An execution limit is the number of retries a component or Workflow node attempts in a server-side execution. This setting is a helpful defense mechanism built into each environment.

IMPORTANT  Server-side execution requests have a two-minute timeout. If the module being executed has a configuration containing lots of components or Workflow node executions, it might timeout if the execution limit is too high.

Execution limits (or looping limits) prevent infinite loops in the form of two looping limit settings:

  • Looping Limit for Component Execution: The looping limit specific to component executions. By default, this setting is set to 100 retries.

  • Looping Limit for Workflow Node Execution: The looping limit specific to Workflow node executions. By default, this setting is set to 100 retries.

To change the execution limit for your components or Workflow nodes:

1. In the Looping Limit for Component Execution or Looping Limit for Workflow Node Execution fields, enter an integer.
2. At the bottom of the page, click Save Changes.

Express Session Administration

This section lets you determine when to end an end-user's End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. session in Express View Express View is how your end-user views you application. Express View also lets you preview your applications to test your configuration and view the styling. This is also the view your end-users will see when interacting with your application. After configuring a module, click Preview in the Module Builder to interact with the module in Express View.. When end-users log into an environment, they obtain an access token. This token verifies they have permission to log into your environment. But, the token only remains active for a set amount of time. After that time, Unqork logs them out, and they must log in again.

If your end-user walks away from their device while remaining logged in, this setting prevents someone from obtaining your end-user's token and using it indefinitely.

To customize your environment's session requirements, use the following settings in this section. Then, save your changes.

Setting Description

Expire User Sessions in Express

This drop-down menu provides you with two options:

  • Expiration on Browser Quit: Unqork ends an end-user's session when they exit their browser. It's a best practice to use this option for the strongest security.

  • Expiration Only: Unqork ends an end-user's session when their token expires.

Inactivity Timeout

The amount of time an end-user can stay inactive in Express View before their token expires, in minutes. This value must be less than or equal to the Session Timeout.

Session Timeout

The amount of time an end-user can remain logged into your environment (with or without activity) before their token expires, in minutes.

TIP  For more tips on using the Express Session Administration settings, view the Best Practices section of this article.

Express Content Security Policy (CSP)

Content Security Policy (CSP) is a security standard used to inform the browser to allow or block loading content for a given site. For example, let's say you set up an iframe in your Unqork application that displays content from another site. You can use CSP to inform the browser that it's safe to load content from that site in your Unqork application. By default, Unqork environments have strict CSP settings. These settings help protect against threats like data injection attacks. Only hostnames added to your CSP settings can load content in or from your Unqork application.

You can set up the following CSP directives in Environment Administration:

Directive Description

Frame Source List (frame-src)

The frame-src directive lists the frames that can be embedded in Unqork, and what sources can load a <frame> or <iframe> element.

Frame Ancestor List (frame-ancestors)

The frame-ancestors directive liststhe frames that can embed Unqork, and what sources a <frame>, <iframe>, <object>, <embed>, or <applet> element load from. For example, to set up an iframe in Unqork that displays content from another site, add the site's hostname (or domain name) to the Frame Ancestor list.

NOTE  Issues arise if a source has its own CSP directives or an X-Frame-Options header that conflicts with your CSP directives. For example, the site you try to load content from might block framing. Adding the site's hostname to your Frame Ancestor List doesn't override the source site's restrictions. If a frame doesn't work as expected, verify the source's CSP and X-Frame-Options don't conflict with your directives.

Object Source List (object-src)

The object-src directive lists what sources can load an <object><embed>, or <applet> element.

NOTE  Mozilla recommends restricting the object-src directive. To learn more, view the Mozilla developer object-src documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src.

TIP  To learn more about each directive, view the Mozilla developer CSP documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.

To add Content Security Policy directives:

1. In the Frame Source List field, list allowed sources, if required.

TIP  To allow multiple sources, use a comma-separated list.

2. In the Frame Ancestor List field, list allowed sources, if required.
3. In the Object Source List field, list allowed sources, if required.
4. At the bottom of the page, click Save Changes.

Offline Mode

The Enable Offline setting enables offline access at the environment level. Enabling this setting lets you access offline-mode tools and features to:

  • Automatically register a service worker. Setting up this service worker lets your offline-enabled modules connect to the IndexedDB API.

  • Enable the Module Builder's Cache this Module to Allow for Offline Access setting.

TIP  To learn more about offline mode, view our Introduction to Offline Mode article

To enable offline access at the environment level:

1. To the right of the Enable Offline setting, click .
2. At the bottom of the page, click Save Changes.

User Account Lockout

The User Account Lockout settings control how many login attempts Creators Also known as Unqork Users, or Designer Users; is anyone who is inside the Unqork platform. have before they are locked out of the Unqork Designer Platform. Administrators can specify maximum attempts in a specific time frame, including the lockout duration after exceeding the maximum attempts. After a Creator's account is locked, they receive an email informing them of their account status.

TIP  Administrators can unlock user accounts earlier using the Creator (User) Administration page. To learn more about unlocking user accounts, visit our Creator (User) Administration article.

Setting Description

Maximum Number of User Login Attempts

The number of failed login attempts allowed before a user’s account is locked. By default, the value is 5, but you can enter a value between 2 and 10.

User Account Lockout Duration

The amount of time a user's account remains locked, in minutes. By default, the value is 30, but you can enter a value between 5 and 120.

User Login Attempt Duration

The total amount of time between failed login attempts before the user is locked out of their account, in minutes. By default, the value is 30, but you can enter a value between 5 and 120.

For example, using all default settings, a user can attempt to log in five times over the course of 30 minutes. If a user attempts to login a sixth time in those 30 minutes, they are locked out of their account.

Express User Account Password

The Express User Account Password setting controls password creation for new Express users. Administrators can create passwords for new Express users or let Express users create their own passwords. To improve environment and application security, you'll use the Let User Set Password on Login setting. After making changes, save them.

IMPORTANT  The Choose Password setting is only available to older environments.

Setting Description

Let User Set Password on Login (Recommended)

Users set their own Express account password. An email is sent to the user with a login link directing them to create a new password. The link expires 24 hours after generation.

Choose Password (Deprecated)

Administrators manually set the password when creating or resetting Express user Accounts.

IMPORTANT  To increase environment security, we recommend avoiding this option.

Component Security

The Disable Safe HTML Filters in Content Components setting prevents use of the safehtml AngularJS filter in Content components. When enabled, Content components bypass safehtml filters in Express View.

To enable bypassing safehtml filters for Content components:

1. To the right of the Disable Safe HTML Filters in Content Components setting, click .
2. At the bottom of the page, click Save Changes.

Best Practices

Server-Side Execution Request/Response Body and Debug Logs

The Server Side Execution Request/Response Body Log enables the logging of request and response bodies for all the server-side execution modules.

A static image displaying the selectiong of the Do Not Capture Request/Response Bodies option in the Environment Administration.

  • When debugging, enable Always Capture Debug Logging to capture logs for troubleshooting, then turn the setting off once the debugging is finished.

A static image displaying the selection of the Never Capture Debug Logging option in the Environment Administration.

Enable OAuth2 Password Grant

Disable the Enable OAuth2 Password Grant setting for all users. Create a dedicated Express Service user for API access. Disabling this setting prevents phishing attacks and increases security for users.

A static image displaying the unselected Enable OAuth2 Password Grant setting in the Environment Administration.

Password Requirements

  • Enforce a strong password policy in all environments. A short or weak password is vulnerable to brute-forcing or password spraying attacks.

  • In the Minimum Length field, set a minimum password length of at least 12 characters. The default setting for the minimum password length is 8 characters.

  • It's also a best practice to select the Require Lowercase Letter, Require Uppercase Letter, Require Number, and Require Symbol options.

A static image displaying the Minimum Length of 12 and the selection of the Require Lowercase Letter, Require Uppercase Letter, Require Number, and Require Symbol options in the Environment Administration.

API Rate Limiting

Improve integration security by limiting the API APIs (application programming interfaces) are a set of protocols and definitions developers use to build and integrate application software. APIs act as the connective tissue between products and services. rate. For the API Rate Limiting settings , you have the option to limit the number of API requests from any single IP per server per 60 seconds.

The smallest number of requests you can enter is 100, while the largest is 1,000,000. But, it's recommended to set this to a lower number. By setting your limit to a lower number, you reduce the likelihood of automated attacks, like brute-force searches, enumerations, or HTTP HTTP (Hypertext Transfer Protocol) is an application-layer protocol used to transmit hypermedia documents like HTML. request flooding.

Express Session Administration

Enforce a strong session management policy. Do this by implementing 2 changes to the Express Session Administration setting section:

1. From the Expire User Sessions in Express drop-down menu, select Expiration on Browser Quit. By selecting this option, you set all browser cookies to session cookies. Once the browsing session ends, your browser automatically deletes session cookies.

A static image displaying the selection of the Eexpieration on Browser Quit option in the Environment Administration.

2. Set your Inactivity Timeout and Session Timeout to a lower number. Setting a shorter amount of time for the session to timeout increases security. It does this by reducing the likelihood and amount of time a malicious actor can use a stolen session.

A static image displaying the Inactivity Timeout and Session Timeout settings in the Environment Administration.