Last updated
Was this helpful?
Last updated
Was this helpful?
Security & Access Control settings
URL of consent screen. A consent screen is an interface presented to a user during the authorization code grant flow.
Generates structured audit logs in FHIR AuditEvent format.
Enable access control for /Mapping/<mapping-id>/$apply
operation. If enabled, access control will be applied to the resulting transaction. If disabled, only access to $apply endpoints are verified.
Enable Cross-Origin Resource Sharing (CORS) request handling.
Comma separated list of origins [schema]://[domain]:[port]
Default is wildcard value "*"
Defines the Content Security Policy (CSP) header to enhance security by restricting resource loading. It specifies the policies for loading scripts, styles, media, fonts, and other resources.
Recommended value:
Skip JWT token validation process.
RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.
RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.
HS256 signing algorithm needs only having a secret for both operations.
Creates local user accounts automatically when valid external JWT tokens are presented but no matching user exists.
This configuration is used when skip-jwt-validation
setting is enabled. It's a string that contains EDN object with :headers
and :user-id-paths
keys. For example: {:headers #{"authorization" "x-client-token"}, :user-id-paths #{[:authorization :user_id] [:my-client-token :user :id]}}
Label-based Access Control engine provides a mechanism to restrict access to bundles, resources, or resource elements depending on permissions associated with a request.
Removes security labels from resource responses before returning them to clients. When enabled, prevents sensitive security metadata from being exposed in API responses while maintaining access control enforcement internally. Useful for hiding security implementation details from end users.
Activates hierarchical access control based on organizational structure. Restricts user access to resources based on their organizational affiliation and hierarchy position.
This setting enables SU
header functionality. SU
header allows a user to substitute User ID for the duration of the request. Only the administrator is allowed to use the SU
header.
Activates debugging features for access policy development, including the _debug=policy URL
parameter. Returns detailed policy evaluation traces showing why requests were allowed or denied. For development environments only - not recommended for production systems.
Secret key for encryption API.
Refer to the
ID
security.grant-page-url
Type
String
Default value
/auth/grant
Environment variables
BOX_SECURITY_GRANT_PAGE_URL
,
BOX_AUTH_GRANT__PAGE__URL
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.audit-log.enabled
Type
Bool
Default value
(no default)
Environment variables
BOX_SECURITY_AUDIT_LOG_ENABLED
,
AIDBOX_SECURITY_AUDIT__LOG_ENABLED
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
false
— setting requires system restart
ID
security.iam.mapping.enable-access-control
Type
Bool
Default value
(no default)
Environment variables
BOX_SECURITY_IAM_MAPPING_ENABLE_ACCESS_CONTROL
,
BOX_FEATURES_MAPPING_ENABLE__ACCESS__CONTROL
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.encrypt-secret
Type
String
Default value
(no default)
Environment variables
BOX_SECURITY_ENCRYPT_SECRET
,
AIDBOX_ENCRYPT_KEY
Sensitive
true
— value will be masked in Admin UI
Set via
Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.cors.enabled
Type
Bool
Default value
true
Environment variables
BOX_SECURITY_CORS_ENABLED
,
BOX_WEB_CORS_ENABLED
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.cors.origins
Type
String
Default value
*
Environment variables
BOX_SECURITY_CORS_ORIGINS
,
BOX_WEB_CORS_ORIGINS
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.content-security-policy-header
Type
String
Default value
(no default)
Environment variables
BOX_SECURITY_CONTENT_SECURITY_POLICY_HEADER
,
AIDBOX_CONTENT_SECURITY_POLICY_HEADER
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.skip-jwt-validation
Type
Bool
Default value
(no default)
Environment variables
BOX_SECURITY_SKIP_JWT_VALIDATION
,
BOX_FEATURES_AUTHENTICATION_SKIP__JWT__VALIDATION
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.auth.keys.public
Type
String
Default value
(no default)
Environment variables
BOX_SECURITY_AUTH_KEYS_PUBLIC
,
BOX_AUTH_KEYS_PUBLIC
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
false
— setting requires system restart
ID
security.auth.keys.private
Type
String
Default value
(no default)
Environment variables
BOX_SECURITY_AUTH_KEYS_PRIVATE
,
BOX_AUTH_KEYS_PRIVATE
Sensitive
true
— value will be masked in Admin UI
Set via
Environment variables
Hot reload
false
— setting requires system restart
ID
security.auth.keys.secret
Type
String
Default value
(no default)
Environment variables
BOX_SECURITY_AUTH_KEYS_SECRET
,
BOX_AUTH_KEYS_SECRET
Sensitive
true
— value will be masked in Admin UI
Set via
Environment variables
Hot reload
false
— setting requires system restart
ID
security.introspection-create-user
Type
Bool
Default value
(no default)
Environment variables
BOX_SECURITY_INTROSPECTION_CREATE_USER
,
BOX_FEATURES_AUTHENTICATION_INTROSPECTION_CREATE__USER
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.auth-with-not-validated-jwt
Type
String
Default value
(no default)
Environment variables
BOX_SECURITY_AUTH_WITH_NOT_VALIDATED_JWT
,
BOX_FEATURES_AUTHENTICATION_AUTH__WITH__NOT__VALIDATED__JWT
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
false
— setting requires system restart
ID
security.lbac.enabled
Type
Bool
Default value
(no default)
Environment variables
BOX_SECURITY_LBAC_ENABLED
,
BOX_FEATURES_SECURITY__LABELS_ENABLE
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.lbac.strip-labels
Type
Bool
Default value
(no default)
Environment variables
BOX_SECURITY_LBAC_STRIP_LABELS
,
BOX_FEATURES_SECURITY__LABELS_STRIP__LABELS
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.orgbac.enabled
Type
Bool
Default value
(no default)
Environment variables
BOX_SECURITY_ORGBAC_ENABLED
,
BOX_FEATURES_ORGBAC_ENABLE
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
false
— setting requires system restart
ID
security.debug-su-enable
Type
Bool
Default value
(no default)
Environment variables
BOX_SECURITY_DEBUG_SU_ENABLE
,
BOX_DEBUG_SU_ENABLE
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime
ID
security.dev-mode
Type
Bool
Default value
(no default)
Environment variables
BOX_SECURITY_DEV_MODE
,
AIDBOX_DEV_MODE
Sensitive
false
— value will be visible in plaintext in Admin UI
Set via
Admin UI → Settings Environment variables
Hot reload
true
— setting can be changed at runtime