Security & Access Control

Security & Access Control settings

Grant page URL

URL of consent screen. A consent screen is an interface presented to a user during the authorization code grant flow.

security.grant-page-url

Type

String

Default value

/auth/grant

Environment variables

BOX_SECURITY_GRANT_PAGE_URL , BOX_AUTH_GRANT__PAGE__URL

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

Enable audit log

Aidbox produces audit logs in FHIR AuditEvent format for significant events.

security.audit-log.enabled

Type

Bool

Default value

(no default)

Environment variables

BOX_SECURITY_AUDIT_LOG_ENABLED , AIDBOX_SECURITY_AUDIT__LOG_ENABLED

Sensitive

false — can be set via Ul and environment variable

Hot reload

false — requires Aidbox restart

Enable access control for mapping

Enable access control for /Mapping/<mapping-id>/$apply operation. If enabled, access control will be applied to the resulting transaction. If disabled, only access to $apply endpoints are verified.

security.iam.mapping.enable-access-control

Type

Bool

Default value

(no default)

Environment variables

BOX_SECURITY_IAM_MAPPING_ENABLE_ACCESS_CONTROL , BOX_FEATURES_MAPPING_ENABLE__ACCESS__CONTROL

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

Encryption API secret

Secret key for encryption API. Learn more

security.encrypt-secret

Type

String

Default value

(no default)

Environment variables

BOX_SECURITY_ENCRYPT_SECRET , AIDBOX_ENCRYPT_KEY

Sensitive

true — can be set only via environment variable

Hot reload

true — can be changed at runtime

Allow CORS requests

Enable Cross-Origin Resource Sharing (CORS) request handling.

security.cors.enabled

Type

Bool

Default value

true

Environment variables

BOX_SECURITY_CORS_ENABLED , BOX_WEB_CORS_ENABLED

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

Allow CORS requests from origins

Comma separated list of origins [schema]://[domain]:[port] Default is wildcard value "*"

security.cors.origins

Type

String

Default value

*

Environment variables

BOX_SECURITY_CORS_ORIGINS , BOX_WEB_CORS_ORIGINS

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

Content security policy header

This configuration defines the Content Security Policy (CSP) header to enhance security by restricting resource loading. It specifies the policies for loading scripts, styles, media, fonts, and other resources.

Refer to the OWASP Content Security Policy Cheat Sheet

Recommended value:

default-src 'self'; script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; frame-ancestors 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self';

security.content-security-policy-header

Type

String

Default value

(no default)

Environment variables

BOX_SECURITY_CONTENT_SECURITY_POLICY_HEADER , AIDBOX_CONTENT_SECURITY_POLICY_HEADER

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

Skip JWT validation

Skip JWT token validation process.

security.skip-jwt-validation

Type

Bool

Default value

(no default)

Environment variables

BOX_SECURITY_SKIP_JWT_VALIDATION , BOX_FEATURES_AUTHENTICATION_SKIP__JWT__VALIDATION

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

JWT public key

RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.

security.auth.keys.public

Type

String

Default value

(no default)

Environment variables

BOX_SECURITY_AUTH_KEYS_PUBLIC , BOX_AUTH_KEYS_PUBLIC

Sensitive

false — can be set via Ul and environment variable

Hot reload

false — requires Aidbox restart

JWT private key

RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.

security.auth.keys.private

Type

String

Default value

(no default)

Environment variables

BOX_SECURITY_AUTH_KEYS_PRIVATE , BOX_AUTH_KEYS_PRIVATE

Sensitive

true — can be set only via environment variable

Hot reload

false — requires Aidbox restart

JWT secret

HS256 signing algorithm needs only having a secret for both operations.

security.auth.keys.secret

Type

String

Default value

(no default)

Environment variables

BOX_SECURITY_AUTH_KEYS_SECRET , BOX_AUTH_KEYS_SECRET

Sensitive

true — can be set only via environment variable

Hot reload

false — requires Aidbox restart

Create user for foreign token

Create a user when using foreign JWT access token and the user does not already exist.

security.introspection-create-user

Type

Bool

Default value

(no default)

Environment variables

BOX_SECURITY_INTROSPECTION_CREATE_USER , BOX_FEATURES_AUTHENTICATION_INTROSPECTION_CREATE__USER

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

Auth with non-validated JWT

This configuration is used when skip-jwt-validation setting is enabled. It's a string that contains EDN object with :headers and :user-id-paths keys. For example: {:headers #{"authorization" "x-client-token"}, :user-id-paths #{[:authorization :user_id] [:my-client-token :user :id]}}

security.auth-with-not-validated-jwt

Type

String

Default value

(no default)

Environment variables

BOX_SECURITY_AUTH_WITH_NOT_VALIDATED_JWT , BOX_FEATURES_AUTHENTICATION_AUTH__WITH__NOT__VALIDATED__JWT

Sensitive

false — can be set via Ul and environment variable

Hot reload

false — requires Aidbox restart

Enable LBAC

Label-based Access Control engine provides a mechanism to restrict access to bundles, resources, or resource elements depending on permissions associated with a request.

security.lbac.enabled

Type

Bool

Default value

(no default)

Environment variables

BOX_SECURITY_LBAC_ENABLED , BOX_FEATURES_SECURITY__LABELS_ENABLE

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

Strip security labels

Remove security labels from the outcome.

security.lbac.strip-labels

Type

Bool

Default value

(no default)

Environment variables

BOX_SECURITY_LBAC_STRIP_LABELS , BOX_FEATURES_SECURITY__LABELS_STRIP__LABELS

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

Enable organization-based hierarchical access control

Hierarchical organization-based access control in Aidbox allows for the restriction of access to data based on the organization to which it belongs.

security.orgbac.enabled

Type

Bool

Default value

(no default)

Environment variables

BOX_SECURITY_ORGBAC_ENABLED , BOX_FEATURES_ORGBAC_ENABLE

Sensitive

false — can be set via Ul and environment variable

Hot reload

false — requires Aidbox restart

Enable SU header

This setting enables SU header functionality. SU header allows a user to substitute User ID for the duration of the request. Only the administrator is allowed to use the SU header.

security.debug-su-enable

Type

Bool

Default value

(no default)

Environment variables

BOX_SECURITY_DEBUG_SU_ENABLE , BOX_DEBUG_SU_ENABLE

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

Enable Aidbox developer mode

Enables _debug=policy for access policy debugging.

security.dev-mode

Type

Bool

Default value

(no default)

Environment variables

BOX_SECURITY_DEV_MODE , AIDBOX_DEV_MODE

Sensitive

false — can be set via Ul and environment variable

Hot reload

true — can be changed at runtime

PreviousFHIR NextModules

Last updated 7 hours ago

Was this helpful?