Environment Administration

	Environment Level	Description	Codebase
1	Staging	Where Unqork Creators Also known as Unqork Users, or Designer Users; is anyone who is inside the Unqork platform. configure applications. This non-production environment level is meant for test data only. This level is where you create and update configurations before promoting to QA for testing. Staging is an internal environment level and part of Unqork's cloud infrastructure. Staging offers both a Designer and Express View interface. This non-production environment level hosts test data only.	Staging
2	Quality Assurance (QA)	Where Unqork Creators test and verify processes, artifacts, and ensure applications are built using best practices. QA is an internal environment level and part of Unqork's cloud infrastructure. QA offers both a Designer and Express View interface. This non-production environment level hosts test data only.	QA
3	User Acceptance Testing (UAT)	Where the Creators and end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. can view the latest build. Use this environment level to test your application's end-user experience. This non-production environment hosts test data only. UAT is an internal environment level and part of Unqork's cloud infrastructure. UAT offers both a Designer and Express View interface. This non-production environment level hosts test data only.	UAT
4	Production	This is the live application and the only environment level where end-users can access it. This level is also the only environment level to store live client data. Following SDLC best practices, development should never take place in Production.	Production

General

This section focuses on the general settings you can use to customize your environment. These settings include creating a site name, enabling custom login and logout modules, and determining if you want to capture all request and response bodies.

Site Name

In the Site Name field, enter the name you want to display. After setting up a site name, it displays in your browser tab.

Hide Preview Bar by Default

In Express View Express View is how your end-user views your application. Express View also lets you preview your applications to test your configuration and view the styling. This is also the view your end-users will see when interacting with your application. After configuring a module, click Preview in the Module Builder to interact with the module in Express View., a preview bar displays at the top right of the screen. The preview bar lets you preview your application using different roles and styles.

While you can manually hide or remove the preview bar in Express View Express View is how your end-user views your application. Express View also lets you preview your applications to test your configuration and view the styling. This is also the view your end-users will see when interacting with your application. After configuring a module, click Preview in the Module Builder to interact with the module in Express View., this setting keeps it hidden regardless. The reasons for hiding the preview bar include:

Limiting end-user End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. options and preventing them from changing role views or styles.
Viewing or testing the application on a mobile device. The preview bar can take up space on a mobile screen. Hiding it can improve navigation.

PagerDuty Key

You can use PagerDuty integration to receive alerts about server-side execution failures. When configured, PagerDuty sends alerts when errors occur in your Unqork application, and provides details in the Unqork service logs.

To use the PagerDuty integration, you must have a PagerDuty account.

To configure PagerDuty integration with Unqork:

1.

Set up a PagerDuty service using the instructions at the following link: https://support.pagerduty.com/docs/services-and-integrations.

2.

When setting up the service, select Use our API Directly and Events API v2. PagerDuty generates an API key you can use in Unqork.

3.

In the Environment Administration page's PagerDuty Key field, enter your API key.

4.

At the top of the page, click Save Changes.

You can also set up PagerDuty alerts for individual services in your application. To learn more, view our Services Administration article.

Environment Style

Displays the current Express View environment style. Administrators can change the style in the Style Administration page.

Discover how to change the environment style in our Style Administration article

Display Custom Login/Logout Settings for Applications

Enable this setting to connect or disconnect login and logout modules to applications. Disable the setting to prevent login and modules from being connected or disconnected to applications.

To learn more about login and logout modules, view our Login Module and Logout Module articles.

Default Module

The default module is the homepage of your environment. Without a default module, end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. receive an Error 404 page. You can only set one default module for your environment.

Server-Side Execution Request/Response Body Log

Remote execution, also called server-side execution, is a best practice for application security. Users with Designer access can see server-side execute logs at the following endpoint: https://{your-environment}.unqork.io/fbu/uapi/logs/services?type=remoteExecute.

The Server Side Execution Request/Response Body Log setting lets you choose what the log captures. You can select one of the following options:

Do not capture request/response bodies.
Capture request/response bodies on failure.
Capture all request/response bodies.

Server-Side Execution Request/Response Debug Log

The Server-Side Execution Debug Log setting captures server-side execution requests and lets you enable debug logging in your environment.

You can select one of the following options:

Never capture debug logging (default).
Always capture debug logging.

Enabling this feature might degrade application environment health and performance over time.

For more tips on using the Server-Side Execution Debug Log setting, view the Best Practices section of this article.

Number of Days to Keep Tracker Records

Unqork creates tracker records when a module's tracker feature is enabled. These records capture the actions of end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. that interact with your module. Over time, this data increases and becomes expensive to store. To avoid this issue, set the number of days to keep tracker records. After that set number of days, Unqork deletes tracker data from the database.

You can leave this field blank to store records for 60 days.

Google Tag Manager

Unqork supports integration with Google Tag Manager containers for Google Analytics tag configurations. You can use tags for several purposes, including:

Scroll tracking.
Monitoring module submissions.
Conducting surveys.
Generating heat maps.
Tracking how end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. access your site.

The Google Tag Manager section of the Environment Administration page includes three fields:

GTM Container ID
GTM Environment Authentication
GTM Environment Preview

Only use the GTM Environment Authentication and GTM Environment Preview settings if you have multiple environments set up in Google Tag Manager.

To learn more about environments in Google Tag Manager, see Google Tag Manager's Environments documentation: https://support.google.com/tagmanager/answer/6311518/environments?hl=en.

Another solution for running different tags in different Unqork environments is to create one Tag Container for each Unqork environment. Then, add the environment-specific Container ID to each environment's Environment Administration page.

When you create a new Tag Container, Google Tag Manager prompts you to copy and paste the Tag Manager Snippet Script to every page of your website. Unqork performs this step for you. You only need to add the Container ID to your environment once.

Unqork API

Unqork has its own API APIs (application programming interfaces) are a set of protocols and definitions developers use to build and integrate application software. APIs act as the connective tissue between products and services. that lets you request and send data between systems. To use it, you must authenticate using an access token.

By enabling OAuth2 Password Grant in Environment Administration, your Unqork users can obtain an access token using their login credentials to make API calls.

Authentication

This section focuses on the authentication settings you can use to customize your environment. These settings include username and password requirements, anonymous user access, and SAML and OIDC configuration.

To learn more about SSO (Single Sign-On), SAML, and OIDC authentication, view our Single Sign-On (SSO) Management articles.

Using the menu below, select a setting:

Username & Password

These settings let you disable your environment's login page, enforce password resets, and configure specific character and character length requirements when users create a password.

Disable Login Screen

The Disable Login Screen setting prevents users from logging into Designer or Express View Express View is how your end-user views your application. Express View also lets you preview your applications to test your configuration and view the styling. This is also the view your end-users will see when interacting with your application. After configuring a module, click Preview in the Module Builder to interact with the module in Express View.. This is helpful for administrators who plan to use login methods, like SSO Single Sign-On is an authentication scheme that enables users to use one set of login credentials across multiple services..

Enabling the Disable Login Screen setting still displays the login screen, but users entering their credentials are shown a modal informing them that the login screen is disabled.

Password Requirements

To customize your environment's password requirements, use the following settings in this section. Then, save your changes.

Option	Description
Number of Days to Enforce Password Reset	Set the number of days to enforce end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. to reset their password. The number must be a numerical value greater than 0. For example, if you want to require end-users to reset their password every five days, you'll enter the numerical number 5.
Minimum Length	Set the minimum numerical character length for an end-user's password. Character length cannot be less than 8. By default, this value is set to 8.
Maximum Length	Set the maximum numerical character length for an end-user's password. Character length cannot exceeds 64. By default, this value is set to 64.
Require Lowercase Letter	Set to (ON) to require end-user's password to have at least one lowercase letter.
Require Uppercase Letter	Set to (ON) to require end-user's password to have at least one uppercase letter.
Require Number	Set to (ON) to require end-user's password to have at least one integer.
Require Symbol	Set to (ON) to require end-user's password to have at least one symbol.

Password reset rules do not apply to Service users. Service users can create user credentials for API calls and authorizations. Service users access server-side logic instead of the front-end of your application. Password reset rules only apply to regular Express end-users.

Strength

The strength indicator informs administrators how secure their password settings are. There are two levels of indication:

Good: The environment password settings follow security guidelines.
Weak: An improvement can be made, review the warning callout below the Strength setting for more details.

Anonymous Access

The Disable Anonymous Access setting prevents unauthenticated end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. from accessing your applications. Disabling anonymous access allows for internal testing without exposing applications to the public. Enable the Disable Anonymous Access setting to redirect unauthenticated end-users to the login screen. Creators Also known as Unqork Users, or Designer Users; is anyone who is inside the Unqork platform. and administrators accessing anonymous modules also redirect to the login screen for authentication. Creators and administrators can then use Designer permissions to simulate an anonymous user.

This setting is incompatible with custom login and logout modules.

SAML

SAML Security Assertion Markup Language (SAML) is a protocol that allows an identity provider (IdP) to send a user's credentials to a service provider (SP) to verify their identity and grant them access to a service. is one of the supported SSO Single Sign-On is an authentication scheme that enables users to use one set of login credentials across multiple services. methods in Unqork. To learn more about using SAML for SSO, view our Unqork as a SAML Service Provider article.

Provider-Specific How-to Guides: Express View (SAML)

Provider-Specific How-to Guides: Designer (SAML)

OIDC

OIDC OIDC (OpenID Connect) is an identity authentication protocol that lets two applications share user information without exposing user credentials. is one of the supported SSO Single Sign-On is an authentication scheme that enables users to use one set of login credentials across multiple services. methods in Unqork. To learn more about using OIDC for SSO, view our OpenID Connect (OIDC) article

Provider-Specific How-to Guides: Express View (OIDC)

API Rate Limit

Improve integration security by limiting the API APIs (application programming interfaces) are a set of protocols and definitions developers use to build and integrate application software. APIs act as the connective tissue between products and services. rate. You can limit the number of API requests from any single IP address The Internet Protocol (IP) address is a unique identifier for a device or network connected to the internet. per server per 60 seconds.

The minimum number of requests you can enter is 100, while the maximum is 1,000,000. It's recommended to set this to a lower number to reduce the likelihood of automated attacks. Common attacks include brute-force searches, enumerations, or HTTP HTTP (Hypertext Transfer Protocol) is an application-layer protocol used to transmit hypermedia documents like HTML. request flooding.

The default API rate limit is 1000.

Execution Limit

An execution limit is the number of retries a component or Workflow node attempts in a server-side execution. This setting is a helpful defense mechanism built into each environment.

Server-side execution requests have a two-minute timeout. If the module being executed has a configuration containing a larger number of components or Workflow node executions, it might timeout if the execution limit is too high.

Execution limits (or looping limits) prevent infinite loops in the form of two looping limit settings:

Looping Limit for Component Execution: The looping limit specific to component executions. By default, this value is set to 100 retries.
Looping Limit for Workflow Node Execution: The looping limit specific to Workflow node executions. By default, this value is set to 100 retries.

Express Session Administration

This section lets you determine how to control sessions in Designer and Express. For example, when end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. log into an environment, they obtain an access token. This token verifies they have permission to log into your environment. But, the token only remains active for a set amount of time. After that time, Unqork logs them out, and they must log in again.

If your end-user leaves their device unattended while remaining logged in, this setting prevents someone from obtaining your end-user's token and using it indefinitely.

To customize your environment's session requirements, use the following settings in this section. Then, save your changes.

Setting

Description

Expire User Sessions in Express

This drop-down menu provides you with opinions exclusive to Express sessions:

Expiration on Browser Quit: Unqork ends an end-user's session when they exit their browser. It's a best practice to use this option for the strongest security.
Expiration Only: Unqork ends an end-user's session when their token expires.

Inactivity Timeout

The amount of time an user can stay inactive in Designer and Express before their token expires. This value must be less than or equal to the Session Timeout.

The minimum time value is 5 minutes and the maximum is 1440 minutes (24 hours).

Session Timeout

The amount of time an user can remain logged into Designer and Express (with or without activity) before their token expires, in minutes.

Express Content Security Policy (CSP)

Content Security Policy (CSP) is a security standard that informs the browser to allow or block loading content for a given site. For example, let's say you set up an iframe in your Unqork application that displays content from another site. You can use CSP to inform the browser that it's safe to load content from that site in your Unqork application. By default, Unqork environments have strict CSP settings. These settings help protect against threats, like data injection attacks. Only hostnames added to your CSP settings can load content into or out of your Unqork application.

To learn more about each directive, view the Mozilla developer CSP documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.

You can set up the following CSP directives in Environment Administration:

Directive

Description

Frame Source List (frame-src)

The frame-src directive lists the frames that can be embedded in Unqork, and identifies the sources that can load <frame> and <iframe> elements.

To allow multiple sources, use a comma-separated list.

Frame Ancestor List (frame-ancestors)

The frame-ancestors directive lists the frames that can embed Unqork, and identifies the sources where <frame>, <iframe>, <object>, <embed>, and <applet> elements can load. For example, to set up an iframe in Unqork that displays content from another site, add the site's hostname (or domain name) to the Frame Ancestor list.

Issues arise if a source has its own CSP directives or an X-Frame-Options header that conflicts with your CSP directives. For example, the site you try to load content from might block framing. Adding the site's hostname to your Frame Ancestor List does not override the source site's restrictions. If a frame does not work as expected, verify that the source's CSP and X-Frame-Options do not conflict with your directives.

Object Source List (object-src)

The object-src directive lists which sources can load <object>, <embed>, and <applet> elements.

Mozilla recommends restricting the object-src directive. To learn more, view the Mozilla developer object-src documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src.

Cross-Origin Resource Sharing (CORS)

The Cross-Origin Resource Sharing (CORS) setting lets you indicate a domain other than your environment domain where you can permit the loading of resources. In Unqork, this setting is helpful when using the Embedded User Interface (UI) feature.

To allow multiple domains, use a comma-separated list.

To learn more about Embedded UI, view our Embedded User Interface (UI) article

Offline Mode

The Enable Offline setting is only available in older environments.

The Enable Offline setting enables offline access at the environment level. Enabling this setting lets you access offline-mode tools and features to:

Automatically register a service worker. Setting up this service worker lets your offline-enabled modules connect to the IndexedDB API APIs (application programming interfaces) are a set of protocols and definitions developers use to build and integrate application software. APIs act as the connective tissue between products and services..
Enable the Module Builder's Cache this Module to Allow for Offline Access setting.

User Account Lockout

The User Account Lockout settings control how many login attempts Creators Also known as Unqork Users, or Designer Users; is anyone who is inside the Unqork platform. can make before they are locked out of the Unqork Designer Platform. Administrators can specify maximum attempts in a specific time frame, including the lockout duration after exceeding the maximum attempt. After a Creator's account is locked, they receive an email informing them of their account status.

Administrators can unlock user accounts earlier using the Creator (User) Administration page. To learn more about unlocking user accounts, visit our Creator (User) Administration article.

Setting

Description

Maximum Number of User Login Attempts

The number of failed login attempts allowed before a user’s account is locked. You can enter a numerical value between 2 and 10.

By default, the value is 5.

User Account Lockout Duration

The amount of time a user's account remains locked, in minutes. You can enter a numerical value between 5 and 120.

By default, the value is 30.

User Login Attempt Duration

The total amount of time between failed login attempts before the user is locked out of their account, in minutes. For example, using all default settings, a user can attempt to log in 5 times over the course of 30 minutes. If a user attempts to log in a sixth time in those 30 minutes, they are locked out of their account.

Enter a numerical value between 5 and 120.

By default, the value is 30.

End User Account Password

The Express User Account Password setting controls password creation for new Express users. Administrators can create passwords for new Express users, or let Express users create their own passwords. To improve environment and application security, you'll use the Let User Set Password on Login setting. After making changes, save them.

The Choose Password setting is only available in older environments.

Setting

Description

Let User Set Password on Login (Recommended)

Users can set their own Express account password. An email is sent to the user with a login link directing them to create a new password. This link expires 24 hours after generation.

Choose Password (Deprecated)

Administrators manually set the password when creating or resetting Express user accounts.

To increase environment security, we recommend avoiding this option.

Component Security

The Disable Safe HTML Filters in Content Components setting prevents use of the safehtml AngularJS AngularJS is a JavaScript framework added to an HTML page with a <script> tag. AngularJS extends HTML attributes and binds data to HTML using expressions. filter in Content components. When enabled, Content components bypass safehtml filters in Express View.

Environments that do not have a Content Component might not have this setting in their Environment Administration page.

Best Practices

Using the menu below, select a best practice to explore it:

Server-Side Execution Request/Response Body and Debug Logs

The Server Side Execution Request/Response Body Log enables the logging of request and response bodies for all server-side execution modules.

In Production-level environments, disable logging by selecting the option Do Not Capture Request/Response Bodies. Doing so prevents logs from capturing and storing PII Personal Identifiable Information (PII) is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. data.

When debugging, enable Always Capture Debug Logging to capture logs for troubleshooting. Then, disable the setting once the debugging is completed.

Environment Administration

Overview

Environment Levels in Unqork

Accessing Environment Administration

General

Site Name

Hide Preview Bar by Default

PagerDuty Key

Environment Style

Display Custom Login/Logout Settings for Applications

Default Module

Server-Side Execution Request/Response Body Log

Server-Side Execution Request/Response Debug Log

Number of Days to Keep Tracker Records

Google Tag Manager

Unqork API

Authentication

Username & Password

Disable Login Screen

Password Requirements

Strength

Anonymous Access

SAML

Provider-Specific How-to Guides: Express View (SAML)

Provider-Specific How-to Guides: Designer (SAML)

OIDC

Provider-Specific How-to Guides: Express View (OIDC)

API Rate Limit

Execution Limit

Express Session Administration

Express Content Security Policy (CSP)

Cross-Origin Resource Sharing (CORS)

Offline Mode

User Account Lockout

End User Account Password

Component Security

Best Practices

Server-Side Execution Request/Response Body and Debug Logs

Enable OAuth2 Password Grant

Password Requirements

API Rate Limiting

Session Administration

Feedback