Security & Access Control

Security & Access Control settings

Grant page URL

URL of consent screen. A consent screen is an interface presented to a user during the authorization code grant flow.

ID	security.grant-page-url
Type	String
Default value	/auth/grant
Environment variables	BOX_SECURITY_GRANT_PAGE_URL , BOX_AUTH_GRANT__PAGE__URL
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime

Enable audit log

Aidbox produces audit logs in FHIR AuditEvent format for significant events.

ID	security.audit-log.enabled
Type	Bool
Default value	(no default)
Environment variables	BOX_SECURITY_AUDIT_LOG_ENABLED , AIDBOX_SECURITY_AUDIT__LOG_ENABLED
Sensitive	false — can be set via Ul and environment variable
Hot reload	false — requires Aidbox restart

Enable access control for mapping

Enable access control for /Mapping//$apply operation. If enabled, access control will be applied to the resulting transaction. If disabled, only access to $apply endpoints are verified.

ID	security.iam.mapping.enable-access-control
Type	Bool
Default value	(no default)
Environment variables	BOX_SECURITY_IAM_MAPPING_ENABLE_ACCESS_CONTROL , BOX_FEATURES_MAPPING_ENABLE__ACCESS__CONTROL
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime

Encryption API secret

Secret key for encryption API. Learn more

ID	security.encrypt-secret
Type	String
Default value	(no default)
Environment variables	BOX_SECURITY_ENCRYPT_SECRET , AIDBOX_ENCRYPT_KEY
Sensitive	true — can be set only via environment variable
Hot reload	true — can be changed at runtime

Allow CORS requests

Enable Cross-Origin Resource Sharing (CORS) request handling.

ID	security.cors.enabled
Type	Bool
Default value	true
Environment variables	BOX_SECURITY_CORS_ENABLED , BOX_WEB_CORS_ENABLED
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime

Allow CORS requests from origins

Comma separated list of origins [schema]://[domain]:[port] Default is wildcard value "*"

ID	security.cors.origins
Type	String
Default value	*
Environment variables	BOX_SECURITY_CORS_ORIGINS , BOX_WEB_CORS_ORIGINS
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime

Content security policy header

This configuration defines the Content Security Policy (CSP) header to enhance security by restricting resource loading. It specifies the policies for loading scripts, styles, media, fonts, and other resources.

Refer to the OWASP Content Security Policy Cheat Sheet

Recommended value: `` default-src 'self'; script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; frame-ancestors 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self'; ``

ID	security.content-security-policy-header
Type	String
Default value	(no default)
Environment variables	BOX_SECURITY_CONTENT_SECURITY_POLICY_HEADER , AIDBOX_CONTENT_SECURITY_POLICY_HEADER
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime

Skip JWT validation

Skip JWT token validation process.

ID	security.skip-jwt-validation
Type	Bool
Default value	(no default)
Environment variables	BOX_SECURITY_SKIP_JWT_VALIDATION , BOX_FEATURES_AUTHENTICATION_SKIP__JWT__VALIDATION
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime

JWT public key

RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.

ID	security.auth.keys.public
Type	String
Default value	(no default)
Environment variables	BOX_SECURITY_AUTH_KEYS_PUBLIC , BOX_AUTH_KEYS_PUBLIC
Sensitive	false — can be set via Ul and environment variable
Hot reload	false — requires Aidbox restart

JWT private key

RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.

ID	security.auth.keys.private
Type	String
Default value	(no default)
Environment variables	BOX_SECURITY_AUTH_KEYS_PRIVATE , BOX_AUTH_KEYS_PRIVATE
Sensitive	true — can be set only via environment variable
Hot reload	false — requires Aidbox restart

JWT secret

HS256 signing algorithm needs only having a secret for both operations.

ID	security.auth.keys.secret
Type	String
Default value	(no default)
Environment variables	BOX_SECURITY_AUTH_KEYS_SECRET , BOX_AUTH_KEYS_SECRET
Sensitive	true — can be set only via environment variable
Hot reload	false — requires Aidbox restart

Create user for foreign token

Create a user when using foreign JWT access token and the user does not already exist.

ID	security.introspection-create-user
Type	Bool
Default value	(no default)
Environment variables	BOX_SECURITY_INTROSPECTION_CREATE_USER , BOX_FEATURES_AUTHENTICATION_INTROSPECTION_CREATE__USER
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime

Auth with non-validated JWT

This configuration is used when skip-jwt-validation setting is enabled. It's a string that contains EDN object with :headers and :user-id-paths keys. For example: {:headers #{"authorization" "x-client-token"}, :user-id-paths #{[:authorization :user_id] [:my-client-token :user :id]}}

ID	security.auth-with-not-validated-jwt
Type	String
Default value	(no default)
Environment variables	BOX_SECURITY_AUTH_WITH_NOT_VALIDATED_JWT , BOX_FEATURES_AUTHENTICATION_AUTH__WITH__NOT__VALIDATED__JWT
Sensitive	false — can be set via Ul and environment variable
Hot reload	false — requires Aidbox restart

Enable LBAC

Label-based Access Control engine provides a mechanism to restrict access to bundles, resources, or resource elements depending on permissions associated with a request.

ID	security.lbac.enabled
Type	Bool
Default value	(no default)
Environment variables	BOX_SECURITY_LBAC_ENABLED , BOX_FEATURES_SECURITY__LABELS_ENABLE
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime

Strip security labels

Remove security labels from the outcome.

ID	security.lbac.strip-labels
Type	Bool
Default value	(no default)
Environment variables	BOX_SECURITY_LBAC_STRIP_LABELS , BOX_FEATURES_SECURITY__LABELS_STRIP__LABELS
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime

Enable organization-based hierarchical access control

Hierarchical organization-based access control in Aidbox allows for the restriction of access to data based on the organization to which it belongs.

ID	security.orgbac.enabled
Type	Bool
Default value	(no default)
Environment variables	BOX_SECURITY_ORGBAC_ENABLED , BOX_FEATURES_ORGBAC_ENABLE
Sensitive	false — can be set via Ul and environment variable
Hot reload	false — requires Aidbox restart

Enable SU header

This setting enables SU header functionality. SU header allows a user to substitute User ID for the duration of the request. Only the administrator is allowed to use the SU header.

ID	security.debug-su-enable
Type	Bool
Default value	(no default)
Environment variables	BOX_SECURITY_DEBUG_SU_ENABLE , BOX_DEBUG_SU_ENABLE
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime

Enable Aidbox developer mode

Enables _debug=policy for access policy debugging.

ID	security.dev-mode
Type	Bool
Default value	(no default)
Environment variables	BOX_SECURITY_DEV_MODE , AIDBOX_DEV_MODE
Sensitive	false — can be set via Ul and environment variable
Hot reload	true — can be changed at runtime