# Security settings

## Accessing server security settings

Currently, server security settings are accessed and modified through editing the **Web.config** file in the Flow Server installation directory. Any changes saved to this file will cause the Flow Server to restart automatically, ensuring that changes take effect immediately.

{% hint style="warning" %}
Always make a backup copy of the Web.config file *outside of* the Flow Server installation directory before making any changes to the configuration.
{% endhint %}

## Limiting WAN access to studio functionality

For Flow Server installations that are available on a public IP address, it advisable to turn off access to the Flow Studio APIs. This means that only end-users will be able to connect to the Flow server using non-LAN IP addresses. For access using the Flow studio, only LAN IP addresses are allowed.

To disable WAN Access to studio functionality, navigate to the Web.config file in the Flow server installation directory, then find the configuration key marked **blockStudioIfOutsideLocalNet** and change the value to **true**.

```markup
<add key="blockStudioIfOutsideLocalNet" value="true"/>
```

It is possible to configure a set of excepted hostnames, which will be allowed even if WAN Access is blocked. To configure such exceptions, add the excepted hostnames as a comma-separated list in the **blockStudioIfOutsideLocalNetExcept** configuration key.

## Session time-out&#x20;

For security and resource management reasons, the Flow Server automatically logs out sessions after a period of inactivity. By default, sessions that have been inactive for more than seven days are considered expired and can no longer be accessed.&#x20;

#### **Configuring the session time-out parameter**&#x20;

To configure a custom value for the session time-out parameter, edit the Web.config file located in the Flow Server installation directory. In the appSettings section of this file, locate or add the following configuration values:&#x20;

**SittingTimeOut** – A value in DD:HH:MM:SS format specifying how long a session can be inactive before it is to be considered expired. \
The default value is seven days.&#x20;

**SittingTimestampUpdateInterval** – A value in DD:HH:MM:SS format specifying the minimum interval at which user activity is registered in the Flow database. For Flow installations with a high density of transactions, a higher value here will increase the system's overall performance. Note also that the sitting timestamp update parameter must be less than the sitting time-out parameter. \
The default value is one hour.&#x20;

Example: Session time-out of three hours, update interval of ten minutes&#x20;

```markup
<add key="SittingTimeOut" value="03:00:00" /> 
<add key="SittingTimestampUpdateInterval" value="00:10:00"/> 
```

## Limiting the number of failed logins &#x20;

The Flow Server can be configured to lock out user accounts where many failed login attempts have occurred. This helps reduce the risk of brute force attacks (successive log-in attempts with the goal of figuring out a user's password). &#x20;

The functionality is governed by a pair of settings in the Web.config file: **MaxFailedLoginAttempts** and **LockOutTimeAfterFailedLogins**. &#x20;

The **MaxFailedLoginAttempts** key contains a positive integer value specifying the upper bound for how many times a user is allowed to "try" different passwords before their account is locked. By default, the value is set to 10. &#x20;

The **LockOutTimeAfterFailedLogins** key contains a time span value (in the format HH:MM:SS) specifying the time (starting from the last failed login attempt) during which a locked-out user is blocked from further login attempts. &#x20;

In the following example, a user would be locked after four successive failed login attempts. Locked users would be blocked from further login attempts for one hour. &#x20;

```markup
<add key="MaxFailedLoginAttempts" value="4"/>  
<add key="LockOutTimeAfterFailedLogins" value="01:00:00"/>  
```

#### Manually unlocking a locked account &#x20;

Administrator users can manually unlock a locked user account from the Flow Studio. To do so, click the Environment tab, select the Users sub-tab, find the locked user and click the "Unlock" button.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.novacuraflow.com/security/server/security-settings.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.