Environment Administration
Estimated Reading Time: 20 minutes
Overview
Environment Administration is where you can customize environment-related settings. For example, you can set up performance tracking, customize the site name, or set password requirements. Environment Administration is where you'll make all changes and customizations to your environment.
Environment Levels in Unqork
Environment levels (or stages) in Unqork support each phase of building and rendering applications. As customer applications advance through development, they generally pass through the following levels:
Environment Level | Description | Codebase | |
---|---|---|---|
1 |
Staging |
Where Unqork Creators Also known as Unqork Users, or Designer Users; is anyone who is inside the Unqork platform. configure applications. This non-production environment level hosts test data only. This level is where you prepare updates before promoting to QA for testing. Unqork hosts the Staging environment internally. Staging offers both a Designer and Express View interface. |
Staging |
2 |
Quality Assurance (QA) |
Where Unqork Creators test and verify processes, artifacts, and ensure applications are built using best practices. This non-production environment level hosts test data only. Unqork hosts the QA environment internally. QA offers both a Designer and Express View interface. |
QA |
3 |
User Acceptance Testing (UAT) |
Where the Creators and end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. can view the latest build. Use this environment level to test your application's end-user experience. This non-production environment hosts test data only. Unqork hosts the UAT environment internally. UAT offers both a Designer and Express View interface. |
UAT |
4 |
Production |
This is the live application and the only environment level where end-users can access it. This level is also the only environment to host live client data. IMPORTANT Following SDLC best practices, development should never take place in Production. |
Production |
NOTE Additional environments can also include Pre-Production (Pre-Prod) environment levels. Pre-Prod environments use the Production codebase. The progression order is Staging, QA, UAT, Pre-prod, and Production. Client leads decide the number of environments to use when developing a customer application.
TIP To learn more about environment stages, including the release process for platform updates, view our Software Development Life Cycle Processes article.
What You'll Learn
In this article, you'll learn about the organization of the Environment Administration page and how to customize your environment.
Accessing Environment Administration
To access the Environment Administration page:
1. | At the top right of the Unqork Designer Platform, click Settings ▾. |
2. | Click Administration. |
3. | Under Environment, select Environment Administration. |
After accessing the page, you'll see various settings and options you can use to customize your environment. The remainder of this article navigates you through these settings and teaches you how to use them.
Environment Administration Organization
This administration page is organized into twelve sections. Each section focuses on specific settings you can enable and disable to customize your environment. Click on the links below to navigate to a specific section of the article:
General
This section focuses on the general settings you can use to customize your environment. These settings include creating a site name, enabling custom login and logout modules, and determining if you want to capture all request and response bodies. Click the links below to navigate to a setting, understand its purpose, and learn how to use it.
|
|
Site Name
After setting up a site name, it displays in your browser tab. In the Site Name field, enter the name you want to display. Then, scroll to the bottom of the page and click Save Changes.
Hide Preview Bar by Default
In Express View, a preview bar displays at the top right of the screen. The preview bar lets you preview your application as a different role or with different styles.
While you can manually hide or remove the preview bar in Express View Express View is how your end-user views you application. Express View also lets you preview your applications to test your configuration and view the styling. This is also the view your end-users will see when interacting with your application. After configuring a module, click Preview in the Module Builder to interact with the module in Express View., this setting keeps it hidden regardless. The reasons for hiding the preview bar include:
-
Limiting end-user End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. options and prevent them from changing role views or styles.
-
Viewing or testing the application on a mobile device. The preview bar can take up space on a mobile screen. Hiding it can improve navigation.
To hide the preview bar in Express View:
1. | To the right of the Hide Preview Bar by Default setting, click . |
2. | At the bottom of the page, click Save Changes. |
To display it again in Express View, uncheck the box and save your changes.
PagerDuty Key
You can use PagerDuty integration to receive alerts about server-side execution failures. When configured, PagerDuty sends alerts when errors occur in your Unqork application and provide details in the Unqork service logs.
IMPORTANT To use the PagerDuty integration, you must have a PagerDuty account.
To set up PagerDuty integration with Unqork:
1. | Set up a PagerDuty service, using the instructions at the following link: https://support.pagerduty.com/docs/services-and-integrations. |
2. | When setting up the service, select Use our API Directly then Events API v2. PagerDuty generates an API key you can use in Unqork. |
3. | In the Environment Administration PagerDuty Key field, enter your API key. |
4. | At the bottom of the page, click Save Changes. |
TIP You can also set up PagerDuty alerts for individual services in your application. To learn more, view our Services Administration article.
Enable Custom Login/Logout Modules
When enabled, this setting lets you connect or disconnect login and logout modules to applications. Disable the setting to prevent login and modules from being connected or disconnected to applications.
To allow login and logout modules to be connected to applications:
1. | To the left of the Enable Custom Login/Logout Modules setting, click . |
2. | At the bottom of the page, click Save Changes. |
Default Module
The default module is the landing page of your environment. When someone enters your site's URL into the browser, this is the first page they see. Without a default module, end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. see an Error 404 page. You can only set one default module for your environment.
To set your default module:
1. | From the Default Module drop-down, select a module. |
2. | At the bottom of the page, click Save Changes. |
Server-Side Execution Request/Response Body Log
Remote execution, also called server-side execution, is a best practice for application security. Users with Designer access can see server-side execute logs at the following endpoint: https://{your-environment}.unqork.io/fbu/uapi/logs/services?type=remoteExecute.
The Server Side Execution Request/Response Body Log setting lets you choose what the log captures. You can select one of the following options:
-
Capture all request/response bodies.
-
Do not capture request/response bodies.
-
Capture request/response bodies on failure.
To adjust what request and response bodies the log captures:
1. | From the Server Side Execution Request/Response Body Log drop-down, select an option. |
2. | At the bottom of the page, click Save Changes. |
TIP For more tips on using the Server-Side Execution Request/Response Body Log setting, view the Best Practices section of this article.
Server-Side Execution Debug Log
The Server-Side Execution Debug Log setting captures server-side execution requests and lets you enable debug logging
You can select one of the following options:
-
Never capture debug logging (default)
-
Always capture debug logging
WARNING Enabling this feature might degrade application environment health and performance over time.
To enable server-side execution debug logs:
1. | From the Server-Side Execution Debug Log drop-down, select an option. |
2. | At the bottom of the page, click Save Changes. |
TIP For more tips on using the Server-Side Execution Debug Log setting, view the Best Practices section of this article.
Number of Days to Keep Tracker Records
Unqork creates tracker records when a module's tracker feature is enabled. These records capture the actions of end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. that interact with your module. Over time, this data grows and becomes expensive to store. To solve this problem, set the number of days to keep tracker records. After that set number of days, Unqork deletes tracker data from the database.
To set the number of days to keep tracker records:
1. | In the No of Days to Keep Tracker Records field, enter the number days to store the records. Leaving this field blank means that tracker records do not expire. |
2. | At the bottom of the page, click Save Changes. |
Google Tag Manager
Unqork supports integration with Google Tag Manager for Google Analytics tag configurations. You can use tags for several purposes, including:
-
Scroll tracking.
-
Monitoring module submissions.
-
Conducting surveys.
-
Generating heat maps.
-
Tracking how end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. arrive at your site.
TIP You can also use Google Tag Manager to add custom scripts to your application. To learn more, view our Environment Administration: Adding Custom Script Using Google Tag Manager.
The Google Tag Manager section of the Environment Administration page includes three fields:
-
GTM Container ID
-
GTM Environment Authentication
-
GTM Environment Preview
Only use the GTM Environment Authentication and GTM Environment Preview settings if you have multiple environments set up in Google Tag Manager. To learn more about environments in Google Tag Manager, see Google Tag Manager's Environments article : https://support.google.com/tagmanager/answer/6311518/environments?hl=en.
Another solution for running different tags in different Unqork environments is to create one Tag Container for each Unqork environment. Then, add the environment-specific Container ID to each environment's Environment Administration page.
To set up Google Tag Manager integration in Unqork:
1. | In the GTM Container ID field, enter your Container ID. |
TIP When you create a new Tag Container, Google Tag Manager prompts you to copy and paste the Tag Manager Snippet Script to every page of your website. Unqork performs this step for you. You only need to add the Container ID to your environment once.
2. | At the bottom of the page, click Save Changes. |
Unqork API
Unqork has its own API APIs (application programming interfaces) are a set of protocols and definitions developers use to build and integrate application software. APIs act as the connective tissue between products and services. (application programming interface) that lets you request and send data between systems. But, to use it, you must have an access token.
By enabling OAuth2 Password Grant in Environment Administration, your Unqork users can obtain an access token using their login credentials and make API calls.
To enable OAuth2 Password Grant:
1. | To the right of the Enable OAuth2 Password Grant setting, click . |
2. | At the bottom of the page, click Save Changes. |
TIP For more tips on using the Enable OAuth2 Password Grant setting, view the Best Practices section of this article.
Authentication
This section focuses on the authentication settings you can use to customize your environment. These settings include username and password requirements, anonymous user access, and SAML and OIDC configuration. Click the links below to navigate to a setting, understand its purpose, and learn how to use it.
|
|
TIP To learn more about SSO (Single Sign-On), SAML, and OIDC authentication, view our Single Sign-On (SSO) Management articles.
Username & Password
This section focuses on the username and password settings you can use to customize your environment. These settings include disabling your environment's login page, enforce password resets, and requiring specific characters and character length when users create a password.
Disable Login Screen
The Disable Login Screen setting prevents users from logging into Designer or Express View. This is helpful for administrators who plan to use login methods, like SSO (Single Sign-on). Enabling the Disable Login Screen setting sends users to a 403 - Access Denied page.
To enable the Disable Login Screen setting:
1. | To the right of the Disable Login Screen setting, click . |
2. | At the bottom of the page, click Save Changes. |
Password Requirements
To customize your environment's password requirements, use the following settings in this section. Then, save your changes.
Option | Description |
---|---|
Enter No of Days to Enforce Password Reset |
Set the number of days to enforce end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. to reset their password. The number must be a numerical value greater than 0. For example, you'll enter 5 instead of five. |
Minimum Length |
Set the minimum character length for an end-user's password. You can enter between 8 and 64. This option defaults to 8. |
Maximum Length |
Set the maximum character length for an end-user's password. You can enter between 8 and 64. This option defaults to 64. |
Require Lowercase Letter |
Select this checkbox if you want your end-user's password to have at least 1 lowercase letter. |
Require Uppercase Letter |
Select this checkbox if you want your end-user's password to have at least 1 uppercase letter. |
Require Number |
Select this checkbox if you want your end-user's password to have at least 1 integer. |
Require Symbol |
Select this checkbox if you want your end-user's password to have at least 1 symbol. |
NOTE When you set password reset rules in your environment, they don't apply to Service users. Service users can create user credentials for API calls and authorizations. Service users access server-side logic instead of the front-end of your application. Password reset rules only apply to regular Express end-users.
TIP For more tips on using the Password Requirements settings, view the Best Practices section of this article.
Anonymous Access
The Disable Anonymous Access setting prevents unauthenticated users from accessing your applications. Disabling anonymous access allows for internal testing without exposing applications to the public. Enable the Disable Anonymous Access setting to redirect unauthenticated users to the login screen. Creators Also known as Unqork Users, or Designer Users; is anyone who is inside the Unqork platform. and administrators accessing anonymous modules also redirect to the login screen for authentication. Creators and administrators can then use Designer permissions to simulate an anonymous user.
IMPORTANT This setting is incompatible with custom login and logout modules.
To enable the Disable Anonymous Access setting:
3. | To the left of the Disable Anonymous Access setting, click . |
4. | At the bottom of the page, click Save Changes. |
SAML
SAML (Security Assertion Markup Language) is one of the SSO methods Unqork supports. To learn more about using SAML for SSO, view our Unqork as a SAML Service Provider article.
Provider-Specific How-to Guides: Express View (SAML)
- Setting Up Microsoft Entra ID for SSO in Express View (SAML)
- Setting Up Okta for SSO in Express View (SAML)
Provider-Specific How-to Guides: Designer (SAML)
OIDC
OIDC (OpenID Connect) is one of the SSO methods Unqork supports. To learn more about using OIDC for SSO, view our OpenID Connect (OIDC) article.
Provider-Specific How-to Guides: Express View (OIDC)
- Setting Up Amazon Cognito for SSO in Express View (OIDC)
- Setting Up Microsoft Entra ID for SSO in Express View (OIDC)
- Setting Up Okta for SSO in Express View (OIDC)
API Rate Limiting
Administrators can limit the number of requests made per minute by the same end-user End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product.. API Rate Limiting minimizes security risk and improves performance. Limiting the number of requests per IP address decreases traffic from Bad Actors A bad actor is a cybercriminal or organization that might attempt to exploit vulnerabilites in your environment or application. Common exploits used by bad actors include XSS (cross-site scripting) attacks, malware, randsomware, and more.. The Number of Requests per IP Address setting lets you limit the number of requests from each IP address per server per 60 seconds.
To limit the number of requests per IP address:
1. | In the Number of Requests per IP Address field, enter an integer. The minimum is 100 and the maximum is 1000000. |
2. | At the bottom of the page, click Save Changes. |
TIP For more tips on using the API Rate Limiting setting, view the Best Practices section of this article.
Execution Limit
An execution limit is the number of retries a component or Workflow node attempts in a server-side execution. This setting is a helpful defense mechanism built into each environment.
IMPORTANT Server-side execution requests have a two-minute timeout. If the module being executed has a configuration containing lots of components or Workflow node executions, it might timeout if the execution limit is too high.
Execution limits (or looping limits) prevent infinite loops in the form of two looping limit settings:
-
Looping Limit for Component Execution: The looping limit specific to component executions. By default, this setting is set to 100 retries.
-
Looping Limit for Workflow Node Execution: The looping limit specific to Workflow node executions. By default, this setting is set to 100 retries.
To change the execution limit for your components or Workflow nodes:
1. | In the Looping Limit for Component Execution or Looping Limit for Workflow Node Execution fields, enter an integer. |
2. | At the bottom of the page, click Save Changes. |
Express Session Administration
This section lets you determine when to end an end-user's End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. session in Express View Express View is how your end-user views you application. Express View also lets you preview your applications to test your configuration and view the styling. This is also the view your end-users will see when interacting with your application. After configuring a module, click Preview in the Module Builder to interact with the module in Express View.. When end-users log into an environment, they obtain an access token. This token verifies they have permission to log into your environment. But, the token only remains active for a set amount of time. After that time, Unqork logs them out, and they must log in again.
If your end-user walks away from their device while remaining logged in, this setting prevents someone from obtaining your end-user's token and using it indefinitely.
To customize your environment's session requirements, use the following settings in this section. Then, save your changes.
Setting | Description |
---|---|
Expire User Sessions in Express |
This drop-down menu provides you with two options:
|
Inactivity Timeout |
The amount of time an end-user can stay inactive in Express View before their token expires, in minutes. This value must be less than or equal to the Session Timeout. |
Session Timeout |
The amount of time an end-user can remain logged into your environment (with or without activity) before their token expires, in minutes. |
TIP For more tips on using the Express Session Administration settings, view the Best Practices section of this article.
Express Content Security Policy (CSP)
Content Security Policy (CSP) is a security standard used to inform the browser to allow or block loading content for a given site. For example, let's say you set up an iframe in your Unqork application that displays content from another site. You can use CSP to inform the browser that it's safe to load content from that site in your Unqork application. By default, Unqork environments have strict CSP settings. These settings help protect against threats like data injection attacks. Only hostnames added to your CSP settings can load content in or from your Unqork application.
You can set up the following CSP directives in Environment Administration:
Directive | Description |
---|---|
Frame Source List (frame-src) |
The frame-src directive lists the frames that can be embedded in Unqork, and what sources can load a <frame> or <iframe> element. |
Frame Ancestor List (frame-ancestors) |
The frame-ancestors directive liststhe frames that can embed Unqork, and what sources a <frame>, <iframe>, <object>, <embed>, or <applet> element load from. For example, to set up an iframe in Unqork that displays content from another site, add the site's hostname (or domain name) to the Frame Ancestor list. NOTE Issues arise if a source has its own CSP directives or an X-Frame-Options header that conflicts with your CSP directives. For example, the site you try to load content from might block framing. Adding the site's hostname to your Frame Ancestor List doesn't override the source site's restrictions. If a frame doesn't work as expected, verify the source's CSP and X-Frame-Options don't conflict with your directives. |
Object Source List (object-src) |
The object-src directive lists what sources can load an <object>, <embed>, or <applet> element. NOTE Mozilla recommends restricting the object-src directive. To learn more, view the Mozilla developer object-src documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src. |
TIP To learn more about each directive, view the Mozilla developer CSP documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.
To add Content Security Policy directives:
1. | In the Frame Source List field, list allowed sources, if required. |
TIP To allow multiple sources, use a comma-separated list.
2. | In the Frame Ancestor List field, list allowed sources, if required. |
3. | In the Object Source List field, list allowed sources, if required. |
4. | At the bottom of the page, click Save Changes. |
Offline Mode
The Enable Offline setting enables offline access at the environment level. Enabling this setting lets you access offline-mode tools and features to:
-
Automatically register a service worker. Setting up this service worker lets your offline-enabled modules connect to the IndexedDB API.
-
Enable the Module Builder's Cache this Module to Allow for Offline Access setting.
TIP To learn more about offline mode, view our Introduction to Offline Mode article
To enable offline access at the environment level:
1. | To the right of the Enable Offline setting, click . |
2. | At the bottom of the page, click Save Changes. |
User Account Lockout
The User Account Lockout settings control how many login attempts Creators Also known as Unqork Users, or Designer Users; is anyone who is inside the Unqork platform. have before they are locked out of the Unqork Designer Platform. Administrators can specify maximum attempts in a specific time frame, including the lockout duration after exceeding the maximum attempts. After a Creator's account is locked, they receive an email informing them of their account status.
TIP Administrators can unlock user accounts earlier using the Creator (User) Administration page. To learn more about unlocking user accounts, visit our Creator (User) Administration article.
Setting | Description |
---|---|
Maximum Number of User Login Attempts |
The number of failed login attempts allowed before a user’s account is locked. By default, the value is 5, but you can enter a value between 2 and 10. |
User Account Lockout Duration |
The amount of time a user's account remains locked, in minutes. By default, the value is 30, but you can enter a value between 5 and 120. |
User Login Attempt Duration |
The total amount of time between failed login attempts before the user is locked out of their account, in minutes. By default, the value is 30, but you can enter a value between 5 and 120. For example, using all default settings, a user can attempt to log in five times over the course of 30 minutes. If a user attempts to login a sixth time in those 30 minutes, they are locked out of their account. |
Express User Account Password
The Express User Account Password setting controls password creation for new Express users. Administrators can create passwords for new Express users or let Express users create their own passwords. To improve environment and application security, you'll use the Let User Set Password on Login setting. After making changes, save them.
IMPORTANT The Choose Password setting is only available to older environments.
Setting | Description |
---|---|
Let User Set Password on Login (Recommended) |
Users set their own Express account password. An email is sent to the user with a login link directing them to create a new password. The link expires 24 hours after generation. |
Choose Password (Deprecated) |
Administrators manually set the password when creating or resetting Express user Accounts. IMPORTANT To increase environment security, we recommend avoiding this option. |
Component Security
The Disable Safe HTML Filters in Content Components setting prevents use of the safehtml AngularJS filter in Content components. When enabled, Content components bypass safehtml filters in Express View.
To enable bypassing safehtml filters for Content components:
1. | To the right of the Disable Safe HTML Filters in Content Components setting, click . |
2. | At the bottom of the page, click Save Changes. |
Best Practices
Server-Side Execution Request/Response Body and Debug Logs
The Server Side Execution Request/Response Body Log enables the logging of request and response bodies for all the server-side execution modules.
-
In production environments, disable logging by selecting the option Do Not Capture Request/Response Bodies. This prevents logs from capturing and storing PII Personal Identifiable Information (PII) is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. (personally identifiable information) data.
-
When debugging, enable Always Capture Debug Logging to capture logs for troubleshooting, then turn the setting off once the debugging is finished.
Enable OAuth2 Password Grant
Disable the Enable OAuth2 Password Grant setting for all users. Create a dedicated Express Service user for API access. Disabling this setting prevents phishing attacks and increases security for users.
Password Requirements
-
Enforce a strong password policy in all environments. A short or weak password is vulnerable to brute-forcing or password spraying attacks.
-
In the Minimum Length field, set a minimum password length of at least 12 characters. The default setting for the minimum password length is 8 characters.
-
It's also a best practice to select the Require Lowercase Letter, Require Uppercase Letter, Require Number, and Require Symbol options.
API Rate Limiting
Improve integration security by limiting the API APIs (application programming interfaces) are a set of protocols and definitions developers use to build and integrate application software. APIs act as the connective tissue between products and services. rate. For the API Rate Limiting settings , you have the option to limit the number of API requests from any single IP per server per 60 seconds.
The smallest number of requests you can enter is 100, while the largest is 1,000,000. But, it's recommended to set this to a lower number. By setting your limit to a lower number, you reduce the likelihood of automated attacks, like brute-force searches, enumerations, or HTTP HTTP (Hypertext Transfer Protocol) is an application-layer protocol used to transmit hypermedia documents like HTML. request flooding.
Express Session Administration
Enforce a strong session management policy. Do this by implementing 2 changes to the Express Session Administration setting section:
1. | From the Expire User Sessions in Express drop-down menu, select Expiration on Browser Quit. By selecting this option, you set all browser cookies to session cookies. Once the browsing session ends, your browser automatically deletes session cookies. |
2. | Set your Inactivity Timeout and Session Timeout to a lower number. Setting a shorter amount of time for the session to timeout increases security. It does this by reducing the likelihood and amount of time a malicious actor can use a stolen session. |