Disable Features

If certain features of the Engine are not required by the deployed projects, those features should be disabled.

Optional features

The following features can be disabled if they are not used by the deployed projects:

 1# ivy.webserver.yaml with all optional features disabled
 2REST.Servlet:     
 3  # If none of the deployed projects provide REST APIs it is also possible to disable the whole REST servlet 
 4  Enabled: false
 5     
 6  # REST resources provided by the Axon Ivy Engine under '/{securityContext}/api/workflow'
 7  # If no thirdparties need to access the Axon Ivy Engine via the REST API you can disable it.
 8  API: false
 9
10  # REST resource for remote deployment under '/system/api/apps/{application}' 
11  # If remote deployment is not used on your engine you can disable it
12  # The REST Deployment is used from the deployment feature of the Engine Cockpit
13  Deployment: false
14
15# If the Mobile Offline Dialogs are not used on your engine (most of the time) you can disable them
16OfflineDialog.Enabled: false

Security Features

The following features impact the security and have a good default (depending on what’s better for security) and should not be changed. These feature flags are set in the ivy.yaml.

  • Errors.ShowDetailsToEndUsers should always be set to false, so that no exception details are shown to end users.

  • REST.Servlet.CSRF.Protection should always be set to true, so that the REST APIs require a Cross-Site Request Forgery (CSRF) token by default. See Secure REST APIs for more information about secure REST API configuration.

  • Session.RenewIdOnLogin should always be set to true, so that the session id is renewed after log in.

By default, all cookies (including the session cookies JSESSIONID and IVYSESSIONID) have set the same-site cookie header to value lax. You can disable or harden XSS cookie restrictions in context.xml.

TLS

TLS versions 1.2 and 1.3 are enabled by default. You can disable TLS version 1.2 by setting the Java system property jdk.tls.client.protocols to value "TLSv1.3" in the configuration/jvm.options file.

See also property jdk.tls.disabledAlgorithms that can be set in the JVM’s conf/security/java.security file for more options.