Environment Administration

Estimated Reading Time:  20 minutes

Overview

Environment Administration is where you can customize environment-related settings. For example, you can set up performance tracking, customize the site name, or set password requirements. Environment Administration is where you'll do these types of behind-the-scenes changes.

What You'll Learn

In this article, you'll get a brief overview of what environments are. Then, you'll learn how to:

Environment Stages in Unqork

Environment stages (or stages) in Unqork support each phase of building and rendering applications. As customer applications advance through development, they generally pass through the following stages:

Environment

Description

Code-base

Customer Staging

Where Unqork creators configure applications. This non-production environment hosts test data only. Features and bug fixes are released to Customer Staging at the end of a sprint cycle (every 2 weeks).

After launch, this is where you prepare updates before promoting to UAT for testing.

Unqork hosts the Customer Staging environment internally. Staging offers both a Designer and Express View interface.

Staging

User Acceptance Testing (UAT)

Where both Unqork and the client can view the latest build. This non-production environment hosts test data only.

Unqork hosts the UAT environment internally. UAT offers both a Designer and Express View interface.

UAT

Production

This is the live application, and the only environment that end-users can access. This is also the only environment to host live client data.

Production

NOTE  Some customer applications move through up to 5 environments. The additional environments are Quality Assurance (QA) and Pre-production (Pre-prod). QA environments use the UAT code-base. Pre-prod environments use the Production code-base. The progression order is Customer Staging, QA, UAT, Pre-prod, then Production. Client leads decide the number of environments to use when developing a customer application.

TIP  To learn more about environment stages, including the release process for platform updates, view our Software Development Life Cycle Processes article.

Setting Your Site Name

The site name is what displays in your browser tab.

To set your site name:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the General settings section of Environment Administration.
5. In the Site Name field, enter the name of your site.
6. At the bottom of the page, click Save Changes.

Hiding the Express Preview Bar

In Express View, a preview bar displays at the top right of the screen. The preview bar lets you preview your application as different roles or with different styles.

Reasons to hide the preview bar include:

  • Limiting end-user options. You might want testers to view the site without the ability to change role views or styles.

  • Viewing or testing the application on a mobile device. The preview bar can take up a lot of space on a mobile screen. Hiding it allows for easier navigation.

While you can manually hide or remove the preview bar in Express View, you can stop it from displaying altogether with the following setting:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the General settings section of Environment Administration.
5. Select the Hide Preview Bar by Default checkbox.
6. At the bottom of the page, click Save Changes.

To add the preview bar back to Express View previews:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the General settings section of Environment Administration.
5. Clear the Hide Preview Bar by Default checkbox.
6. At the bottom of the page, click Save Changes.

Adding a PagerDuty Key

You can use PagerDuty integration to receive alerts about server-side execution failures. When configured, PagerDuty sends alerts when errors occur in your Unqork application. Unqork service logs give details on these alerts.

NOTE  To use the PagerDuty integration, you must have your own PagerDuty account.

To set up PagerDuty integration with Unqork:

1. Set up a PagerDuty service, using the instructions at the following link: https://support.pagerduty.com/docs/services-and-integrations.
2. When setting up the service, select Use our API Directly then Events API v2. PagerDuty generates an API key.
3. At the top right of the Unqork Designer Platform, click the Settings drop-down.
4. Click Administration.
5. Under Environment, select Environment Administration.
6. Navigate to the General settings section of Environment Administration.
7. In the PagerDuty Key field, enter your API key.
8. At the bottom of the page, click Save Changes.

NOTE  You can also set up PagerDuty alerts for individual services in your application. Do this under Services Administration.

Setting a Default Module

The default module is the landing page of your environment. When someone types in your site's URL, this is the first page they see. Without a default module, your site visitor sees an Error 404 page. You can only set one default module per environment.

To set your default module:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the General settings section of Environment Administration.
5. From the Default Module drop-down, select a module.
6. At the bottom of the page, click Save Changes.

Adjusting Server-Side Execution Request/Response Body Log Settings

Remote execution, also called server-side execution, is a best practice for application security. Users with Designer access can see server-side execute logs at the following endpoint: https://[...].unqork.io/fbu/uapi/logs/services?type=remoteExecute.

The Server Side Execution Request/Response Body Log setting lets you choose what the log captures. Here are the 3 options:

  • Capture all request/response bodies.

  • Do not capture request/response bodies.

  • Capture request/response bodies on failure.

To adjust what request/response bodies the log captures:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the General settings section of Environment Administration.
5. From the Server Side Execution Request/Response Body Log drop-down, select an option.
6. At the bottom of the page, click Save Changes.

Setting Server-Side Execution Debug Log

The server-side execution debug log setting captures server-side execution requests.

WARNING  Enabling this feature might degrade application environment health and performance over time.

The Server-Side Execution Debug Log setting lets you enable debug logging. Here are the 2 options:

  • Never capture debug logging (default)

  • Always capture debug logging

To enable server-side execution debug logs:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the General settings section of Environment Administration.
5. From the Server-Side Execution Debug Log drop-down, select an option.
6. At the bottom of the page, click Save Changes.

Setting Number of Days to Keep Tracker Records

Unqork creates tracker records when a module's Tracker feature is ON. These records capture the actions of end-users that interact with your module. Over time, this data grows and becomes expensive to store. To solve this problem, set the number of days to keep tracker records. After that set number of days, Unqork deletes tracker data from the database.

To set the number of days to keep tracker records:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the General settings section of Environment Administration.
5. In the No of Days to keep tracker records field, enter a number. Leaving this field blank means the tracker records don't expire.
6. At the bottom of the page, click Save Changes.

Google Tag Manager

Unqork supports integration with Google Tag Manager for Google Analytics tag configurations. You can use tags for several purposes, including:

  • Scroll tracking

  • Monitoring module submissions

  • Conducting surveys

  • Generating heat maps

  • Tracking how end-users arrive at your site

TIP  You can also use Google Tag Manager to add custom scripts to your application. To learn more, view our Environment Administration: Adding Custom Script Using Google Tag Manager.

To set up Google Tag Manager integration in Unqork:

1. Set up your Google Tag Manager account and Tag Container using the instructions at the following link: https://support.google.com/tagmanager/answer/6103696?hl=en&ref_topic=3441530.
2. At the top right of the Unqork Designer Platform, click the Settings drop-down.
3. Click Administration.
4. Under Environment, select Environment Administration.
5. Navigate to the Google Tag Manager settings section of Environment Administration.
6. In the GTM Container ID field, enter your Container ID.

NOTE  Only use the GTM Environment Authentication and GTM Environment Preview settings if you have multiple environments set up in Google Tag Manager. To learn more about environments in Google Tag Manager, see Google Tag Manager's Environments article here: https://support.google.com/tagmanager/answer/6311518/environments?hl=en. Another solution for running different tags in different Unqork environments is to create one Tag Container per Unqork environment. Then, add the environment-specific Container ID to each Unqork environment's Environment Administration page.

TIP  When you create a new Tag Container, Google Tag Manager prompts you to copy and paste the Tag Manager Snippet Script to every page of your website. Unqork performs this step for you. You only need to add the Container ID to your environment once.

7. At the bottom of the page, click Save Changes.

Unqork API: Enabling OAuth2 Password Grant

API stands for application programming interface. It's a standardized way to request and send data between systems. Unqork has its own API, but to use it, you need an access token.

By enabling OAuth2 Password Grant, your Unqork users can use their login details to receive an access token. This access token allows them to make Unqork API calls.

To enable OAuth2 Password Grant:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the Unqork API settings section of Environment Administration.
5. Select the Enable OAuth2 Password Grant checkbox.
6. At the bottom of the page, click Save Changes.

Disable Login Screen

The Disable Login Screen prevents users from attempting to log into Express and Designer view. This is helpful for administrators who plan to use login methods such as SSO (Single Sign-on). By default, users can access the direct login page to Unqork Express.

Enabling the Disable Login Screen setting sends users to a 403 - Access Denied page.

To enable the Disable Login Screen setting:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the Authentication settings section of Environment Administration.
5. Select the Disable Login Screen checkbox.
6. At the bottom of the page, click Save Changes.

Password Requirements

When you add new users to your environment, Unqork sends them an email with a temporary password. They must reset their password in a certain number of days. You can customize the password requirements for your users. This setting helps encourage users to create more complex and secure passwords. Having complex passwords increases your environment's security.

To customize your environment's password requirements:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the Password Requirements settings section of Environment Administration.
5. Update your preferences as follows:
Option Description

Enter No of Days to Enforce Password Reset

Set the number of days to enforce end-users to reset their password. The number must be greater than 0. The number must be a numerical value. So, enter 5 instead of five.

Minimum Length

Set the minimum character length for an end-user's password. You can enter between 8 and 64. This option defaults to 8.

Maximum Length

Set the maximum character length for an end-user's password. You can enter between 8 and 64. This option defaults to 64.

Require Lowercase Letter

Select  this checkbox if you want your end-user's password to have at least 1 lowercase letter.

Require Uppercase Letter

Select this checkbox if you want your end-user's password to have at least 1 uppercase letter.

Require Number

Select this checkbox if you want your end-user's password to have at least 1 integer.

Require Symbol

Select this checkbox if you want your end-user's password to have at least 1 symbol.
6. At the bottom of the page, click Save Changes.

NOTE  When you set password reset rules in your environment, they don't apply to Service Users. A Service User lets you create user credentials for API calls and authorizations. A Service User is for server-side logic instead of access to the front-end of your application. Password reset rules only apply to regular Express end-users.

Disable Anonymous Access

The Disable Anonymous Access setting prevents unauthenticated users from accessing your applications. Disabling anonymous access allows internal testing without exposing applications to the public. Enable the Disable Anonymous Access setting to redirect unauthenticated users to the login screen. Creators and administrators reaching anonymous modules also redirect to the login screen for authentication. Creators and administrators can then use designer permissions to simulate an anonymous user.

NOTE  This setting is incompatible with custom login and logout modules.

To enable the Disable Anonymous Access setting:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the Authentication settings section of Environment Administration.
5. Select the Disable Anonymous Access checkbox.
6. At the bottom of the page, click Save Changes.

SAML Configuration

SAML (Security Assertion Markup Language) is one of the SSO methods Unqork supports. To learn more about using SAML for SSO, view ourUnqork as a SAML Service Provider article.

Provider-Specific How-to Guides: Express View (SAML)

Provider-Specific How-to Guides: Designer (SAML)

OIDC Configuration

OIDC (OpenID Connect) is one of the SSO methods Unqork supports. To learn more about using OIDC for SSO, view our OpenID Connect (OIDC)  article.

Provider-Specific How-to Guides: Express View (OIDC)

API Rate Limiting

Administrators can limit the number of requests made per minute by the same end-user. API Rate Limiting minimizes security risk and improves performance. Limiting the number of requests per IP address decreases traffic from attackers, like automated bots. This setting lets you limit the number of requests from each IP address per server per 60 seconds.

To limit the number of requests per IP address:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the API Rate Limiting settings section of Environment Administration.
5. In the Number of Requests per IP Address field, enter an integer. The minimum is 100 and the maximum is 1000000.
6. At the bottom of the page, click Save Changes.

Execution Limit

An execution limit is the number of retries a component or workflow node attempts if caught in a loop. This setting is a helpful defense mechanism built into each environment. Execution limits (or looping limits) prevent infinite loops in the form of 2 looping limit settings: Component Execution and Workflow Node Execution. Unqork defaults to 100 retries for each looping limit setting.

To change the execution limit for your components or workflow nodes:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the Execution Limit settings section of Environment Administration.
5. In the Looping limit for Component Execution or Looping limit for Workflow Node Execution fields, enter an integer.
6. At the bottom of the page, click Save Changes.

Express Session Administration

This section lets you decide when an end-user's session ends in Express View. When end-users log into an environment, they get an access token. This token verifies that they logged in and have permissions in your environment. The token stays active for a set amount of time. After that, Unqork logs them out, and they must log in again.

Let's say your end-user accidentally leaves a page open and walks away from their computer. This setting prevents someone from taking your end-user's token and using it indefinitely. This Express Session Administration section helps improve your environment's security.

Let's take a look at the settings options:

Setting Description

Expire User Sessions in Express

This drop-down gives you 2 options:

  • Expiration on Browser Quit: Unqork ends an end-user's session when they exit their browser. It's best practice to use this option for the strongest security.

  • Expiration Only: Unqork ends an end-user's session when their token times out.

Inactivity Timeout

The amount of time an end-user can stay inactive in Express View before their token expires, in minutes.

Session Timeout

The amount of time an end-user can stay authenticated (with or without activity) before their token expires, in minutes.

NOTE  Authenticated means logged in to your environment.

Content Security Policy

Content Security Policy is a security standard used to tell the browser whether to allow or block loading content from a given site. For example, say you want to set up an iframe in your Unqork application that shows content from another site. You can use Content Security Policy to tell the browser it's safe to load content from that site in your Unqork application. By default, Unqork environments have strict Content Security Policy settings. These settings help protect against threats like data injection attacks. Only hostnames added to your Content Security Policy settings can load content in or from your Unqork application.

You can set up the following Content Security Policy directives in Environment Administration:

  • Frame Source (frame-src): The frame-src directive lists frames that can be embedded in Unqork and what sources can load a <frame> or <iframe> element.
  • Frame Ancestor (frame-ancestors): The frame-ancestors directive lists frames that can embed Unqork and what sources a <frame>, <iframe>, <object>, <embed>, or <applet> element load from. For example, to set up an iframe in Unqork that shows content from another site, add the site's hostname (also called the domain name) to the Frame Ancestor list.

NOTE  Issues arise if a source has its own Content Security Policy directives or an X-Frame-Options header that conflicts with your Content Security Policy directives. For example, the site you try to load content from might disallow framing. Adding the site's hostname to your Frame Ancestor List doesn't override the source site's restrictions. If a frame doesn't work as expected, verify the source's Content Security Policy and X-Frame-Options don't conflict with your directives.

  • Object Source (object-src): The object-src directive lists what sources can load an <object><embed>, or <applet> element.

NOTE  Mozilla recommends restricting the object-src directive. To learn more, view the Mozilla developer documentation for object-src here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src.

TIP  To learn more about each directive, view the Mozilla developer documentation for CSP here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

To add Content Security Policy directives:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the Content Security Policy settings section of Environment Administration.
5. In the Frame Source List field, list allowed sources, if required.

TIP  To allow multiple sources, use a comma-separated list.

6. In the Frame Ancestor List field, list allowed sources, if required.
7. In the Object Source List field, list allowed sources, if required.
8. At the bottom of the page, click Save Changes.

Offline Mode

The Enable Offline setting enables offline access at the environment level. Enabling this setting lets you access offline mode tools and features. Enabling the Enable Offline setting does two things:

  • Automatically registers a service worker. Setting up this service worker lets your offline-enabled modules connect to the IndexedDB API.

  • Enables the Module Builder's Cache this Module to Allow for Offline Access setting.

TIP  To learn more about offline mode, view our Introduction to Offline Mode article

To enable offline access at the environment level:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the Offline Mode settings section of Environment Administration.
5. Select the Enable Offline checkbox.
6. At the bottom of the page, click Save Changes.

User Account Lockout

The User Account Lockout settings control how many login attempts Creators have before they are locked out of the Unqork Designer Platform. Administrators can specify maximum attempts in a specific time frame, including lockout duration after exceeding max login attempts. After a Creator (User)'s account locks, they receive an email informing them of their account status.

Administrators can unlock user accounts early using the Creator (User) Administration page. To learn how to unlock user accounts, visit our Creator (User) Administration article.

Setting Description

Maximum Number of User Login Attempts

The number of failed login attempts allowed before a user’s account is locked. Default 5. (Range 2-10)

User Account Lockout Duration

The amount of time (minutes) a user's account remains locked. Default 30. (Range 5-120)

User Login Attempt Duration

This is the total amount of time (minutes) between failed login attempts that can contribute to a user locking their account. Default 30. (Range 5-120)

For example, with the default settings, a user can attempt to log in 5 times over the course of 30 minutes. If 30 minutes have not passed and they attempt to log in a sixth time, they are locked out of their account.

Express User Account Password

The Express User Account Password setting controls password creation for new Express users. Administrators can create passwords for new Express users or let Express users create their own passwords. To improve environment and application security, use the Let user set password on login setting.

NOTE  The Choose Password setting is only available to older environments.

Setting Description

Let user set password on login

(recommended)

Users set their own Express account password. An email is sent to the user with a login link directing them to create a new password. The link expires 24 hours after generation.

Choose Password

(deprecated)

Administrators manually set the password when creating or resetting Express User Accounts.

NOTE  To increase environment security, avoid this option.

Component Security

The Disable Safe HTML Filters in Content Components setting prevents use of the safehtml AngularJS filter in Content components. When set to ON, Content components bypass safehtml filters in Express View.

To enable bypassing safehtml filters for Content components:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Environment, select Environment Administration.
4. Navigate to the Component Security settings section of Environment Administration.
5. Select the Disable Safe HTML Filters in Content Components checkbox.
6. At the bottom of the page, click Save Changes.

API Rate Limiting

Improve integration security by limiting the API (application programming interface) rate. In the API Rate Limiting settings section, you have the option to select a limiting rate. Here, you can limit the number of API requests from any single IP per server per 60 seconds.

The smallest number of requests you can enter is 100, while the largest is 1,000,000. But, it's recommended to set this to a lower number. By setting your limit to a lower number, you reduce the likelihood of automated attacks.

NOTE  The API Limiting setting helps protect against many Automated attacks. These include brute-force searches, enumerations, or HTTP request flooding.

Express Session Administration

Enforce a strong session management policy. Do this by implementing 2 changes to the Express Session Administration setting section:

1. From the Expire User Sessions in Express drop-down menu, select Expiration on Browser Quit . By selecting this option, you set all browser cookies to session cookies. Once the browsing session ends, your browser automatically deletes session cookies.
2. Set your Session Timeout to a lower number. Setting a shorter amount of time for the session to timeout increases security. It does this by reducing the likelihood and amount of time a malicious actor can use a stolen session.

Server Side Execution Request/Response Body and Debug Logs

The configuration setting Server Side Execution Request/Response Body Log enables logging of the request and response body for all the server-side execution modules.

  • In production environments, disable logging by selecting the option Do not capture request/response bodies. This prevents logs from capturing and storing PII (personally identifiable information) data.

  • When debugging, enable Always capture debug logging to capture logs for troubleshooting, then turn the setting off once the debugging is finished.

Enable OAuth2 Password Grant

Disable the Enable OAuth2 Password Grant setting for all users. Create a dedicated express service user for API access. Disabling this setting prevents phishing attacks and increases security for users.

Environment Administration Strong Password Requirements

  • Enforce a strong password policy in all environments. A short or weak password is vulnerable to brute-forcing or password spraying attacks.

  • In Password Requirements, set a minimum password length of at least 12 characters. The default setting for the minimum password length is 8 characters.

  • In Password Requirements, select the following checkboxes: Require Lowercase Letter, Require Uppercase Letter, Require Number, and Require Symbol.

Express User Session Expiration in Browser

Enable Expiration on Browser Quit. This option prevents unauthorized access by removing the end-user's cookies and setting the session to expire when the end-user closes their browser.

Inactivity and Session Timeouts

  • From the Expire User Sessions in Express drop-down, select Expiration on Browser Quit. This removes the session when the browser is closed.

  • Set Inactivity Timeout and Session Timeout to a smaller window. Unattended accounts with active tokens can be taken advantage of by attackers. Consider company guidelines and policies to configure timeout values.