Disable Features
If certain features of the Engine are not required by the deployed projects, those features should be disabled.
Optional features
The following features can be disabled if they are not used by the deployed projects:
1# ivy.webserver.yaml with all optional features disabled
2REST.Servlet:
3 # If none of the deployed projects provide REST APIs it is also possible to disable the whole REST servlet
4 Enabled: false
5
6 # REST resources for the mobile app under '/{application}/api/workflow'
7 # If the Mobile Workflow REST API is not used on your engine (e.g. by the Axon Ivy Mobile App) you can disable it
8 MobileWorkflow.API: false
9
10 # REST resource for remote deployment under '/system/api/apps/{application}'
11 # If remote deployment is not used on your engine you can disable it
12 # The REST Deployment is used from the deployment feature of the Engine Cockpit
13 Deployment: false
14
15# If the Mobile Offline Dialogs are not used on your engine (most of the time) you can disable them
16OfflineDialog.Enabled: false
Security Features
The following features impact the security and have a good default (depending on what’s better for security) and should not be changed. These feature flags are set in the ivy.yaml and ivy.webserver.yaml (a part of ivy.yaml).
Errors.ShowDetailsToEndUsers
should always be set tofalse
, so that no exception details are shown to end users.REST.Servlet.CSRF.Protection
should always be set totrue
, so that the REST APIs require a Cross-Site Request Forgery (CSRF) token by default. See Secure REST APIs for more information about secure REST API configuration.Session.RenewIdOnLogin
should always be set totrue
, so that the session id is renewed after log in.
By default, all cookies (including the session cookies JSESSIONID
and IVYSESSIONID-*
) have set
the same-site
cookie header to value lax
. You can disable or harden XSS
cookie restrictions in context.xml.