Security & Access Control

Security & Access Control settings

Grant page URL

URL of consent screen. A consent screen is an interface presented to a user during the authorization code grant flow.

ID

security.grant-page-url

Type

String

Default value

/auth/grant

Environment variable

BOX_SECURITY_GRANT_PAGE_URL

Deprecated environment variables

BOX_AUTH_GRANT__PAGE__URL

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

Enable FHIR audit log

Generates structured audit logs in FHIR AuditEvent format.

ID

security.audit-log.enabled

Type

Bool

Default value

false

Environment variable

BOX_SECURITY_AUDIT_LOG_ENABLED

Deprecated environment variables

AIDBOX_SECURITY_AUDIT__LOG_ENABLED

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

false — setting requires system restart

Enable access control for mapping

Enable access control for /Mapping/<mapping-id>/$apply operation. If enabled, access control will be applied to the resulting transaction. If disabled, only access to $apply endpoints are verified.

ID

security.iam.mapping.enable-access-control

Type

Bool

Default value

false

Environment variable

BOX_SECURITY_IAM_MAPPING_ENABLE_ACCESS_CONTROL

Deprecated environment variables

BOX_FEATURES_MAPPING_ENABLE__ACCESS__CONTROL

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

Encryption API secret

Secret key for encryption API. Learn more

ID

security.encrypt-secret

Type

String

Default value

(no default)

Environment variable

BOX_SECURITY_ENCRYPT_SECRET

Deprecated environment variables

AIDBOX_ENCRYPT_KEY

Sensitive

true — value will be masked in Admin UI

Set via

Environment variables

Hot reload

true — setting can be changed at runtime

Allow CORS requests

Enable Cross-Origin Resource Sharing (CORS) request handling.

ID

security.cors.enabled

Type

Bool

Default value

true

Environment variable

BOX_SECURITY_CORS_ENABLED

Deprecated environment variables

BOX_WEB_CORS_ENABLED

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

Allow CORS requests from origins

Comma separated list of origins [schema]://[domain]:[port] Default is wildcard value "*"

ID

security.cors.origins

Type

String

Default value

*

Environment variable

BOX_SECURITY_CORS_ORIGINS

Deprecated environment variables

BOX_WEB_CORS_ORIGINS

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

Content security policy header

Defines the Content Security Policy (CSP) header to enhance security by restricting resource loading. It specifies the policies for loading scripts, styles, media, fonts, and other resources.

Refer to the OWASP Content Security Policy Cheat Sheet

Recommended value:

default-src 'self'; script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; frame-ancestors 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self';

ID

security.content-security-policy-header

Type

String

Default value

(no default)

Environment variable

BOX_SECURITY_CONTENT_SECURITY_POLICY_HEADER

Deprecated environment variables

AIDBOX_CONTENT_SECURITY_POLICY_HEADER

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

Skip JWT validation

Skip JWT token validation process.

ID

security.skip-jwt-validation

Type

Bool

Default value

false

Environment variable

BOX_SECURITY_SKIP_JWT_VALIDATION

Deprecated environment variables

BOX_FEATURES_AUTHENTICATION_SKIP__JWT__VALIDATION

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

JWT public key

RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.

ID

security.auth.keys.public

Type

String

Default value

(no default)

Environment variable

BOX_SECURITY_AUTH_KEYS_PUBLIC

Deprecated environment variables

BOX_AUTH_KEYS_PUBLIC

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

false — setting requires system restart

JWT private key

RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.

ID

security.auth.keys.private

Type

String

Default value

(no default)

Environment variable

BOX_SECURITY_AUTH_KEYS_PRIVATE

Deprecated environment variables

BOX_AUTH_KEYS_PRIVATE

Sensitive

true — value will be masked in Admin UI

Set via

Environment variables

Hot reload

false — setting requires system restart

JWT secret

HS256 signing algorithm needs only having a secret for both operations.

ID

security.auth.keys.secret

Type

String

Default value

(no default)

Environment variable

BOX_SECURITY_AUTH_KEYS_SECRET

Deprecated environment variables

BOX_AUTH_KEYS_SECRET

Sensitive

true — value will be masked in Admin UI

Set via

Environment variables

Hot reload

false — setting requires system restart

Auto-create users from foreign tokens

Creates local user accounts automatically when valid external JWT tokens are presented but no matching user exists.

ID

security.introspection-create-user

Type

Bool

Default value

false

Environment variable

BOX_SECURITY_INTROSPECTION_CREATE_USER

Deprecated environment variables

BOX_FEATURES_AUTHENTICATION_INTROSPECTION_CREATE__USER

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

Auth with non-validated JWT

This configuration is used when skip-jwt-validation setting is enabled. It's a string that contains EDN object with :headers and :user-id-paths keys. For example: {:headers #{"authorization" "x-client-token"}, :user-id-paths #{[:authorization :user_id] [:my-client-token :user :id]}}

ID

security.auth-with-not-validated-jwt

Type

String

Default value

(no default)

Environment variable

BOX_SECURITY_AUTH_WITH_NOT_VALIDATED_JWT

Deprecated environment variables

BOX_FEATURES_AUTHENTICATION_AUTH__WITH__NOT__VALIDATED__JWT

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

false — setting requires system restart

Enable LBAC

Label-based Access Control engine provides a mechanism to restrict access to bundles, resources, or resource elements depending on permissions associated with a request.

ID

security.lbac.enabled

Type

Bool

Default value

false

Environment variable

BOX_SECURITY_LBAC_ENABLED

Deprecated environment variables

BOX_FEATURES_SECURITY__LABELS_ENABLE

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

Strip security labels

Removes security labels from resource responses before returning them to clients. When enabled, prevents sensitive security metadata from being exposed in API responses while maintaining access control enforcement internally. Useful for hiding security implementation details from end users.

ID

security.lbac.strip-labels

Type

Bool

Default value

false

Environment variable

BOX_SECURITY_LBAC_STRIP_LABELS

Deprecated environment variables

BOX_FEATURES_SECURITY__LABELS_STRIP__LABELS

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

Enable organization-based hierarchical access control

Activates hierarchical access control based on organizational structure. Restricts user access to resources based on their organizational affiliation and hierarchy position.

ID

security.orgbac.enabled

Type

Bool

Default value

false

Environment variable

BOX_SECURITY_ORGBAC_ENABLED

Deprecated environment variables

BOX_FEATURES_ORGBAC_ENABLE

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

false — setting requires system restart

Enable SU header

This setting enables SU header functionality.SU header allows a user to substitute User ID for the duration of the request. Only the administrator is allowed to use the SU header.

ID

security.debug-su-enable

Type

Bool

Default value

false

Environment variable

BOX_SECURITY_DEBUG_SU_ENABLE

Deprecated environment variables

BOX_DEBUG_SU_ENABLE

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

Enable Aidbox developer mode

Activates debugging features for access policy development, including the _debug=policy URL parameter and x-debug header. Returns detailed policy evaluation traces showing why requests were allowed or denied. For development environments only - not recommended for production systems.

ID

security.dev-mode

Type

Bool

Default value

false

Environment variable

BOX_SECURITY_DEV_MODE

Deprecated environment variables

AIDBOX_DEV_MODE

Sensitive

false — value will be visible in plaintext in Admin UI

Set via

Admin UI → Settings Environment variables

Hot reload

true — setting can be changed at runtime

Last updated

Was this helpful?