Set Parameter: Security.json
## Notes
When changing parameters, please refer to "[Confirmation When Changing Parameters](/en/manual/parameter-edit)".
## Limitations
### About Deps/Groups set in IpRestrictionExcludeMembers
If you allow access to Pleasanter on a department/group basis, using the "[Department Management Function](/en/manual/dept)" or "[Group Management Function](/en/manual/group)" to delete or disable the relevant department/group, or to delete the users belonging to it, will result in the users no longer being able to access Pleasanter. Suppose a user with important administrative privileges, such as a tenant manager, is no longer able to access Pleasanter. In that case, it may be necessary to change the IP address of the device they are using or reconfigure "Security.json". Please be careful when deleting/disabling departments/groups set in IpRestrictionExcludeMembers, or deleting users belonging to them.
*If you are not restricting access by IP address using AllowIpAddresses, there is no need to consider the above restrictions.
## Setting Values
The setting values of this parameter file are as follows.
|Parameter name|e.g.|Description|
|:--|:--|:--|
|AllowIpAddresses|["10.10.10.10", "10.10.10.20", "10.10.1.0/24"]|Used to restrict access by IP address. Specify the source IP address you want to allow. You can specify by IP address or CIDR notation. If null, there will be no restriction by IP address. |
|IpRestrictionExcludeMembers|["User1", "User100", "Dept1", "Group1"]|Can be set when an IP address is set in AllowIpAddresses. Access will be allowed for users who meet the conditions specified in this parameter, even if the access is from an IP address other than the one set in AllowIpAddresses. For details, refer to "Combination of AllowIpAddresses/IpRestrictionExcludeMembers" below. |
|MimeTypeCheckOnApi|false||
|PrivilegedUsers|["Administrator", "AdminUser1", "AdminUser2"]|Specify the login ID of the "[Privileged User](/en/manual/user-management-privileged-users)". "[Privileged User](/en/manual/user-management-privileged-users)" can perform all operations, including operations on sites for which they do not have permission. Multiple users can be specified by separating them with commas. |
|RevealUserDisabled|false|Specify true if you want to display an error message when logging in that the user is disabled. |
|LockoutCount|10|Automatically locks the account if the number of times the password is entered incorrectly exceeds the set number. Locked accounts must be unlocked in the user management screen. If set to 0, the account will not be locked. |
|PasswordExpirationPeriod|90|Specify the number of days to calculate the password expiration period for local users. If set to 0, there is no expiration period. |
|JoeAccountCheck|true|Specify true if you want to prohibit the use of the same login ID and password. |
|TokenCheck|false|Specify true if you want to issue a token for each session and reject POST requests that do not include a token as an invalid request. |
|SecureCookies|false|Specify true if you want to assign the secure attribute to cookies in an environment that uses SSL/TLS communication. |
|DisableMvcResponseHeader|false|Specify true if you do not want to include the "X-AspNet-Mvc-Version" header in the response header. *Valid only for .NetFramework version |
|DisableDeletingSiteAuthentication|false|Specify true if you want to allow deletion without entering authentication information (login ID/password) when deleting a site. |
|AccessControlAllowOrigin|["*"]|Specify the URL of the site that is allowed for cross-origin resource sharing (CORS). * allows all. |
|EnforcePasswordHistories|12|Specify the number of times to record the history of previously set passwords. Prevents reuse of previously used passwords. |
|DisableCheckPasswordPolicyIfApi|false|Specify true if you want to ignore the password policy when creating a user with the API. Use this when you do not want to specify the password of the user you are creating, such as in the case of LDAP authentication. |
|PasswordPolicies|See below for instructions on how to set it|Specify the password policy and error message. You can set multiple policies in combination. |
|PasswordGenerator|true|Specify true to display the icon for automatic password generation (key icon) on the right side of the password input field.|
|SecondaryAuthentication|See below for instructions on how to set it|Set enabled to true if you want to perform two-step authentication. |
|AspNetCoreDataProtection|See below for instructions on how to set it|Describes the settings when configuring ASP.NET Core data protection in a Microsoft Azure environment. |
|HttpStrictTransportSecurity|See below for instructions on how to set it|Applies the HTTP Strict Transport Security protocol and forces communication over HTTPS. |
|SecureCacheControl|See below for instructions on how to set it|Set the response header to include the Cache-Control header. |
|ContentSecurityPolicy|Configuration method will be described later|Set Enabled to true when using the "Content Security Policy feature".|
### AllowIpAddresses/IpRestrictionExcludeMembers combination
Please set AllowIpAddresses/IpRestrictionExcludeMembers using any combination of 1. to 3. below.
1. AllowIpAddresses:null / IpRestrictionExcludeMembers:null
|Content |Target access|
|:--|:--|
|Connections to allow access|Access from any IP address|
|Connections that restrict access|None|
2. AllowIpAddresses: Set IP address / IpRestrictionExcludeMembers: null
|Content |Target access|
|:--|:--|
|Connections to allow access|Access from the IP address set in AllowIpAddresses|
|Connections that restrict access|Access from IP addresses other than those set in AllowIpAddresses|
3. AllowIpAddresses: Set IP addresses / IpRestrictionExcludeMembers: Set user ID/department ID/group ID according to the "Example of IpRestrictionExcludeMembers settings" described later.
|Content |Target access|
|:--|:--|
|Connections that allow access|①Access from IP addresses set in AllowIpAddresses<br/>②Access from IP addresses other than those set in AllowIpAddresses, and access by users permitted in the format of "Example of IpRestrictionExcludeMembers settings" described below|
|Connections that restrict access|Access from IP addresses other than those set in AllowIpAddresses, and access by users other than those permitted in the format of "Example of IpRestrictionExcludeMembers settings" described below|
#### IpRestrictionExcludeMembers configuration example
|Setting example |Result|
|:--|:--|
|["User1"]|Allow access for user ID:1.|
|["Dept1"]|Allow access for users belonging to department ID:1.|
|["Group1"]|Permit access to users belonging to group ID:1/users belonging to "Departments belonging to group ID:1".|
If you specify multiple IDs in IpRestrictionExcludeMembers separated by commas, such as ["User1","Dept1","Group1"], access will be allowed for users that match any of them.
### Set Password Policies
|Parameter name|e.g.|Description|
|:--|:--|:--|
|Enabled|true|Set whether to use this policy with true/false.|
|Regex|The setting method is described later.|Set the string that must be included in the password using a regular expression.|
|Languages|Any error message|Set error messages for each supported language.|
### Example of Regular Expression Set in Regex
|Regular expression |Description|
|:--|:--|
|".{8,}"|Password length must be at least 8 characters.|
|"[a-z]+"|At least one lowercase alphabetic character is required.|
|"[A-Z]+"|At least one capital letter is required.|
|"[0-9]+"|At least one number is required.|
|"[^a-zA-Z0-9]+"|At least one character (symbol) other than alphabets and numbers is required.|
### Set SecondaryAuthentication
|Parameter name |e.g.| Description|
|:--|:--|:--|
|~~Enabled~~|~~true~~|~~Set whether to use this policy with true/false. ~~ *1|
|Mode|"None"|Set whether to use the two-step authentication function. |
|NotificationType|"Mail"|Set the authentication method. Can be set to "Mail" or "Totp". *2|
|CountTolerances|1|Specify the number of generations of the verification code that will be valid when authenticating with TOTP. *2|
|NotificationMailBcc|true|Set whether to send the authentication code to the SupportFrom address by BCC with true/false. |
|AuthenticationCodeCharacterType|"Number"|Set the character type of the authentication code. (Number: numbers only, Letter: letters only, NumberAndLetter: numbers and letters)|
|AuthenticationCodeLength|128|Set the number of characters. |
|AuthenticationCodeExpirationPeriod|300|Set the validity period of the authentication code in seconds. |
*1 It has been discontinued since Pleasanter 1.3.2.0 and Pleasanter .NET Framework version 0.51.2 and later versions. Please use Mode as an alternative parameter.
*2 For details on each authentication method, please refer to the following manuals.
[Enable two-step authentication by email](https://pleasanter.org/manual/secondary-authentication)
[Enable two-step authentication by TOTP (Time-based One-Time Password)](https://pleasanter.org/manual/totp-authentication)
### Set Mode
|Set value |Description|
|:--|:--|
|None|Disable the two-step verification feature.|
|DefaultEnable|Enables the two-step authentication function and enables two-step authentication for all users as the default setting. You can disable two-step authentication for any user from "[User Management](/en/manual/user-new-edit)" (user-new). |
|DefaultDisable|Enables the two-step authentication function and disables two-step authentication for all users as the default setting. You can enable two-step authentication for any user from "[User Management](/en/manual/user-new-edit)" (user-new). |
### Set AspNetCoreDataProtection
#### Where to persist data protection keys
If you specify both BlobContainerUri and KeyIdentifier, it will be persisted on the URL specified by BlobContainerUri. If either or both BlobContainerUri and KeyIdentifier are null, it will be persisted to the DB.
#### About data protection in Asp.NET Core
For more information about Asp.NET Core data protection and how to configure it, please refer to the official Microsoft documentation.
[ASP.NET Core Data Protection Configuration](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview)
[Data Protection key management and lifetimes in ASP.NET Core](https://docs.microsoft.com/ja-jp/aspnet/core/security/data-protection/configuration/default-settings)
[Key storage providers in ASP.NET Core](https://docs.microsoft.com/ja-jp/aspnet/core/security/data-protection/implementation/key-storage-providers)
#### Parameter List
|Parameter name|e.g.|Description|
|:--|:--|:--|
|BlobContainerUri|"https://stragename.blob.core.<br>windows.net/containername"|Specify the URL of the Blob container that will persist the data protection key. |
|KeyIdentifier|"https://keyvalult-name.vault.<br>azure.net/keys/key-name/...."|Specify the key identifier of the Azure Key Vault that manages the encryption key to protect the data protection key. |
|KeyFileName|"keys.xml"|Specify the file name of the data protection key to be persisted in the Blob container. |
|XmlAesKey|"a0b1c2..."|Specify the string to generate the encryption key to protect the data protection key. If null, the string will be automatically specified internally. If there are multiple Pleasanter in a load balancing configuration using a load balancer and you specify a string with this parameter, specify the same string for all Pleasanter. |
### Set HttpStrictTransportSecurity
#### About HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified by web apps using a response header. When a browser that supports HSTS receives this header:
・The browser stores a configuration for domains that cannot send communication over HTTP. The browser forces all communication to occur over HTTPS.
・The browser prevents users from using untrusted or invalid certificates. The browser disables prompts that allow users to temporarily trust such certificates.
For details, please refer to the document below.
[HTTP Strict Transport Security Protocol (HSTS)|Microsoft Learn](https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl#http-strict-transport-security-protocol-hsts)
#### Parameter List
|Parameter name|e.g.|Description|
|:--|:--|:--|
|Enabled|true|Enable the HSTS feature|
|Preload|false|Set the preload parameter of the Strict-Transport-Security header. Preloading is not part of the RFC HSTS specification, but web browsers support preloading HSTS sites during fresh installations. |
|IncludeSubDomains|false|Enable includeSubDomain. This ensures that HSTS policy applies to host subdomains. |
|MaxAge|30.00:00:00|Set the max-age parameter of the Strict-Transport-Security header. If not set, the default value is 30 days. Set the value according to the following format: "{days}.{hours}:{minutes}:{seconds}"|
|ExcludeHosts|["abc.example.com", "xyx.example.com"]|Specify the hostnames to exclude in an array format. |
### SecureCacheControl
|Parameter name|e.g.|Description|
|:--|:--|:--|
|NoCache|false|Adds the no-cache parameter to the Cache-Control header. |
|NoStore|false|Adds the no-store parameter to the Cache-Control header. |
|Private|false|Adds the private parameter to the Cache-Control header. |
|MustRevalidate|false|Adds the must-revalidate parameter to the Cache-Control header. |
|PragmaNoCache|false|Includes the Pragma:no-cache header in the response. |
*If any of NoCache, NoStore, Pricate, and MustRevalidate is set to true, a Cache-Control header will be added to the response.
*Please refer to the following document for details of each parameter.
[Cache-Control|MDN](https://developer.mozilla.org/ja/docs/Web/HTTP/Headers/Cache-Control)
[Pragma|MDN](https://developer.mozilla.org/ja/docs/Web/HTTP/Headers/Pragma)
### ContentSecurityPolicy
#### Parameter List
|Parameter Name|Example|Description|
|:--|:--|:--|
|Parameter Name|Example Setting|Description|
|:--|:--|:--|
|Enabled|false|Set to true or false to enable or disable the Content Security Policy (CSP) feature. *3 *5 *6|
|ReportOnlyEnabled|true|Set to true or false to enable or disable the Content Security Policy Report-Only feature. *4 *5|
|Values|Configuration method described below|Specify the settings to apply to the Content Security Policy feature.|
*3 When set to true, if a policy violation is detected, a violation report will be output to the browser’s console log and the loading of the violating resource will be blocked.
*4 When set to true, if a policy violation is detected, a violation report will be output to the browser’s console log.
*5 If a report-uri is specified, a violation report will be sent.
*6 When setting Enabled to true, please first set ReportOnlyEnabled to true and confirm that there is no impact on the operation of Pleasanter before enabling it.
### Values
|Parameter Name|Example|Description|
|:--|:--|:--|
|default-src|'self'|Specifies the default source for loading resources.|
|script-src|'self' 'strict-dynamic'|Specifies the source for loading scripts.|
|script-src-attr|'self' 'unsafe-inline'|Specifies allowed sources for inline script attributes.|
|style-src|'self'|Specifies the source for loading stylesheets.|
|style-src-attr|'self' 'unsafe-inline'|Specifies allowed sources for inline style attributes.|
|style-src-elem|'self' 'unsafe-inline'|Specifies allowed sources for style elements.|
|img-src|'self' data:|Specifies the source for loading images.|
|font-src|'self' data:|Specifies the source for loading fonts.|
|object-src|'none'|Specifies the source for loading objects.|
|connect-src|'self'|Specifies allowed URLs for external connections.|
|frame-src|'none'|Specifies the source for loading frames.|
|base-uri|'self'|Specifies allowed sources for the base tag.|
|form-action|'self'|Specifies the destination for form submissions.|
|report-uri|/CspReport/Report|Specifies the URL for sending violation reports.|
For details about each parameter’s configuration values please refer to [MDN Web Docs: Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#directives).
If you change the parameter values, please set ReportOnlyEnabled to true and confirm that there is no impact on the operation of Pleasanter.
## Supported Versions
|Version|Details|
|:--|:--|
|From 1.4.19.0|Added ContentSecurityPolicy parameter|
## Related Information
<div id="ManualList"><ul><li><a href="/en/manual/parameter-edit">Set Parameter: Confirmation When Changing Parameters</a><span>12.24.2025 up</span></li></ul></article>
<ul><li><a href="/en/manual/user-new-edit">User Management Function: Creation and Update</a><span>06.26.2025 up</span></li>
<li><a href="/en/manual/user-management-privileged-users">User Management Function: Privileged User Settings</a><span>08.14.2024 up</span></li></ul></article></div><input id="SearchTextHidden" type="hidden" value="" />
