Use Security Settings to modify the security configuration for the solutions within your tenant.

Since AppBase version 6.7R2+ to access the Company Setup section, the user needs to have the role System: Allow Company Setup.

To get more info about AppBase roles, please, refer to this article Managing Roles


  1. On the top right, navigate to 
    → Company Setup
  2. On the left, navigate to Company → Security Settings
  3. Click on the Edit icon to edit any of the settings

ASP.NET Session Timeout

Display default ASP.NET Session Timeout for the AppBase.
If the user does not refresh or request a page within the time-out period, the ASP.Net session will expire due to inactivity.

Session Timeout

Sets the lifetime for the user session timeout

Session Sliding Expiration

Sliding expiration resets the expiration time for a valid authentication cookie if a user makes a request again during the session.

Require HttpOnly attribute

The HttpOnly attribute is a flag added to cookies and helps mitigate cross-site scripting (XSS) attacks.

Disable session timeout warning popup

Don't show a warning popup before the end of the user's session

Timeout warning popup before session expiration appearing value

Sets the time to display a warning popup before the end of the user's session

Force logout on session timeout

If the user was inactive during the session, then he will be forcibly logout

Security Token expiration timeout

Sets the lifetime for the Security Token

Web DAV Access Token expiration timeout

Since AppBase version 6.7 R2, you can configure a WebDAV token expiration timeout. This makes the WebDAV session independent from AppBase session. To see more details see Web DAV configure access token timeout below.

Lock sessions to the IP address/hostname from which they originated or from Local Network

Responsible for token IP validation, i.e. the session is for the same IP address.

Restrict access to javascript configuration to selected hostnames

Set a list of allowed hostnames (referrer) for the javascript configuration file (ConfigJS), otherwise, the user gets the status "Forbidden".

Allow cross-domain communication with AJAX request for selected domains.

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin.

For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers.
White-list your partner's domain(URL) to allow to use AppBase scripts, pages, and other allowed resources.

Use comma characters to separate multiple URLs or use the wild character (*) to allow access to affected resources from any outside domains. Example https://localhost:4430,http://localhost:8080

Allow to render pages in a frame, iframe or object for selected domains (CSP)

By default, AppBase does not allow to render its pages inside external website's frames, iframes, and other containers. To achieve this kind of restriction AppBase uses content-security-policy and x-frame-options response headers.

If you want to render AppBase public or portal pages on any external website inside an iframe container you need to white-list your partner(s) URL(s).

Use comma characters to separate multiple URLs. Example https://localhost:4430,http://localhost:8080

API IP Whitelist

API IP Whitelist - a list of IP addresses that are granted access to use the AppBase API

Tenant Resource Validation

List the validations for files uploaded as resources (Pattern, Allow, Deny, Max File Size (Kb))

Contact support for additional instructions about the Resource upload validation configuration.

Web DAV Configures Access Token Timeout

In  AppBase 6.6.18 and AppBase 6.7 R2 configurable WebDAV token expiration timeout was introduced. It makes WebDAV sessions independent from AppBase sessions.

The timeout can be configured on the Company → Security Settings page.

Set any valid value for "Web DAV Access Token expiration timeout". See image below

To use this configurable Web DAV timeout some additional changes are required in the solution. 

Your solution must use getWebDAVAccessToken: function(url, domain, onSuccess, onFailure) site.js function instead of the old one getWebDavDocumentUrl: function(url, domain).


Tested for IE, CHROME, FIREFOX browsers:

//Call following function to get correct WebDAV url for your document
//provide cms document url, onSuccess and onFailure handler functions as argumnts
//you can pass an empty domain parameter value. In that case AppBase will calculate solution domain automatically
var u = Ecx.getWebDAVAccessToken(YOUR_CMS_URL, '', davSuccess, davFailure);
//onSuccess handler example. it will parse obj.WebDavUrl url and open it in ms word application
function davSuccess(args) {
    var obj = Ext.decode(args.responseText);
    var webDAVURL = obj.WebDavUrl;
    if (Ext.isIE) { // this is IE
        var ed;
        var progID = activeX_getProgID(webDAVURL);
        try {
            ed = new ActiveXObject('SharePoint.OpenDocuments.3'); // use version 2 for MS Office 2003 or 1 for older versions
        } catch (err) {
            window.alert(t('Unable to create an ActiveX object to open the document. This is most likely because of the security settings for your browser.'));
            return false;
        if (ed) {
            var result;
            try {
                result = ed.EditDocument(webDAVURL, progID);
            } catch (error) {
                window.alert(t('EditDocument error') +;
            if (!result) {
                window.alert(t('Cannot instantiate the required ActiveX control to open the document. This is most likely because you do not have Office installed or you have an older version of Office.'));
            return false;
        } else {
            window.alert(t('Cannot instantiate the required ActiveX control to open the document. This is most likely because you do not have Office installed or you have an older version of Office.'));
            return false;
    } else {
        try {
            var containerId = '_sharePointPluginContainer';
            var container = Ext.get(containerId);
            if (!container) {
                container = new Ext.Element(document.createElement('div'));
       = containerId;
                    width: '0px',
                    height: '0px',
                    position: 'absolute',
                    overflow: 'hidden',
                    top: '-1000px',
                    left: '-1000px'
            if (!container.first()) {
                var domObj = Ext.DomHelper.createDom({
                    tag: 'object',
                    type: 'application/x-sharepoint',
                    style: {
                        visibility: 'hidden',
                        width: '0px',
                        height: '0px'
                container.appendChild(new Ext.Element(domObj));
            var shpo = container.first().dom;
            if (!shpo.EditDocument(webDAVURL)) {
                window.alert(t('Cannot edit file.'));
                return false;
        } catch (error) {
            var linkId = '_sharePointLink',
                extension = webDAVURL.split('.').pop(),
                action = 'ofe',
                linkContainer = Ext.get(linkId),
                extensions = {
                    'xlsx': 'ms-excel',
                    'xls': 'ms-excel',
                    'docx': 'ms-word',
                    'dotm': 'ms-word',
                    'docm': 'ms-word',
                    'doc': 'ms-word'
            if (!linkContainer) {
                linkContainer = new Ext.Element(document.createElement('a'));
       = linkId;
                    width: '0px',
                    height: '0px',
                    position: 'absolute',
                    overflow: 'hidden',
                    top: '-1000px',
                    left: '-1000px'
            linkContainer.dom.href = extensions[extension] + ':' + action + '|u|' + webDAVURL;
//onFailure handler example
function davFailure(args) {
    alert('Error:' + args);
function activeX_getProgID(href) {
    var ext = href.substring(href.lastIndexOf('.') + 1);
    switch (ext) {
        case "ppt":
        case "pptx":
        case "ppsx":
        case "pot":
        case "potx":
        case "pptm":
            return "PowerPoint.Show";
        case "doc":
        case "docx":
        case "dot":
        case "dotx":
        case "dotm":
        case "docm":
        case "rtf": // Will it work?
            return "Word.Document";
        case "xls":
        case "xlt":
        case "xlsx":
        case "xlst":
        case "xlsm":
            return "Excel.Sheet";
            return ''