# -*- coding: utf-8 -*- # Application version suffix, e.g. 'beta1', 'dev'. Usually an empty string # for GA releases. APP_SUFFIX = '' ########################################################################## # Server settings ########################################################################## SERVER_MODE = True # Enable X-Frame-Option protection. # Set to one of "SAMEORIGIN", "ALLOW-FROM origin" or "" to disable. # Note that "DENY" is NOT supported (and will be silently ignored). # See https://tools.ietf.org/html/rfc7034 for more info. X_FRAME_OPTIONS = "SAMEORIGIN" # The Content-Security-Policy header allows you to restrict how resources # such as JavaScript, CSS, or pretty much anything that the browser loads. # see https://content-security-policy.com/#source_list for more info # e.g. "default-src https: data: 'unsafe-inline' 'unsafe-eval';" CONTENT_SECURITY_POLICY = "default-src http: data: blob: 'unsafe-inline' " \ "'unsafe-eval';" # STRICT_TRANSPORT_SECURITY_ENABLED when set to True will set the # Strict-Transport-Security header STRICT_TRANSPORT_SECURITY_ENABLED = False # The X-Content-Type-Options header forces the browser to honor the response # content type instead of trying to detect it, which can be abused to # generate a cross-site scripting (XSS) attack. # e.g. nosniff X_CONTENT_TYPE_OPTIONS = "nosniff" # The browser will try to prevent reflected XSS attacks by not loading the # page if the request contains something that looks like JavaScript and the # response contains the same data. e.g. '1; mode=block' X_XSS_PROTECTION = "1; mode=block" # This param is used to validate ALLOWED_HOSTS for the application # This will be used to avoid Host Header Injection attack # ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6'] # ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1'] # if ALLOWED_HOSTS= [] then it will accept all ips (and application will be # vulnerable to Host Header Injection attack) ALLOWED_HOSTS = [] SECURITY_PASSWORD_HASH = 'pbkdf2_sha512' ########################################################################## # Log settings ########################################################################## # Debug mode? DEBUG = False ########################################################################## # User account and settings storage ########################################################################## # Allow database connection passwords to be saved if the user chooses. # Set to False to disable password saving. ALLOW_SAVE_PASSWORD = True ########################################################################## # Session expiration support ########################################################################## # SESSION_EXPIRATION_TIME is the interval in Days. Session will be # expire after the specified number of *days*. SESSION_EXPIRATION_TIME = 1 # CHECK_SESSION_FILES_INTERVAL is interval in Hours. Application will check # the session files for cleanup after specified number of *hours*. CHECK_SESSION_FILES_INTERVAL = 12 # USER_INACTIVITY_TIMEOUT is interval in Seconds. If the pgAdmin screen is left # unattended for seconds then the user will # be logged out. When set to 0, the timeout will be disabled. # If pgAdmin doesn't detect any activity in the time specified (in seconds), # the user will be forcibly logged out from pgAdmin. Set to zero to disable # the timeout. # Note: This is applicable only for SERVER_MODE=True. USER_INACTIVITY_TIMEOUT = {{ open_asfa_pgadmin_inactivity_timeout }} # OVERRIDE_USER_INACTIVITY_TIMEOUT when set to True will override # USER_INACTIVITY_TIMEOUT when long running queries in the Query Tool # or Debugger are running. When the queries complete, the inactivity timer # will restart in this case. If set to False, user inactivity may cause # transactions or in-process debugging sessions to be aborted. OVERRIDE_USER_INACTIVITY_TIMEOUT = True ########################################################################## # These settings are used when running in web server mode for confirming # and resetting passwords etc. # See: http://pythonhosted.org/Flask-Mail/ for more info # MAIL_SERVER = 'localhost' # MAIL_PORT = 25 # MAIL_USE_SSL = False # MAIL_USE_TLS = False # MAIL_USERNAME = '' # MAIL_PASSWORD = '' # MAIL_DEBUG = False # Flask-Security overrides Flask-Mail's MAIL_DEFAULT_SENDER setting, so # that should be set as such: SECURITY_EMAIL_SENDER = '{{ open_asfa_pgadmin_email }}' # Check for new versions of the application? UPGRADE_CHECK_ENABLED = False ########################################################################## # SSH Tunneling supports only for Python 2.7 and 3.4+ ########################################################################## SUPPORT_SSH_TUNNEL = False ########################################################################## # Allows pgAdmin4 to create session cookies based on IP address, so even # if a cookie is stolen, the attacker will not be able to connect to the # server using that stolen cookie. # Note: This can cause problems when the server is deployed in dynamic IP # address hosting environments, such as Kubernetes or behind load # balancers. In such cases, this option should be set to False. ########################################################################## ENHANCED_COOKIE_PROTECTION = True # SESSION_COOKIE_SAMESITE = 'Lax' SESSION_COOKIE_SECURE = False SESSION_COOKIE_HTTPONLY = True ########################################################################## # External Authentication Sources ########################################################################## # Default setting is internal # External Supported Sources: ldap, kerberos # Multiple authentication can be achieved by setting this parameter to # ['ldap', 'internal']. pgAdmin will authenticate the user with ldap first, # in case of failure internal authentication will be done. AUTHENTICATION_SOURCES = ['internal'] ########################################################################## # LDAP Configuration ########################################################################## # After ldap authentication, user will be added into the SQLite database # automatically, if set to True. # Set it to False, if user should not be added automatically, # in this case Admin has to add the user manually in the SQLite database. LDAP_AUTO_CREATE_USER = True # Connection timeout LDAP_CONNECTION_TIMEOUT = 10 # Server connection details (REQUIRED) # example: ldap://: or ldap://: LDAP_SERVER_URI = 'ldap://:' # The LDAP attribute containing user names. In OpenLDAP, this may be 'uid' # whilst in AD, 'sAMAccountName' might be appropriate. (REQUIRED) LDAP_USERNAME_ATTRIBUTE = '' ########################################################################## # 3 ways to configure LDAP as follows (Choose anyone): # 1. Dedicated User binding # LDAP Bind User DN Example: cn=username,dc=example,dc=com # Set this parameter to allow the connection to bind using a dedicated user. # After the connection is made, the pgadmin login user will be further # authenticated by the username and password provided # at the login screen. LDAP_BIND_USER = None # LDAP Bind User Password LDAP_BIND_PASSWORD = None # OR #################### # 2. Anonymous Binding # Set this parameter to allow the anonymous bind. # After the connection is made, the pgadmin login user will be further # authenticated by the username and password provided LDAP_ANONYMOUS_BIND = False # OR #################### # 3. Bind as pgAdmin user # BaseDN (REQUIRED) # AD example: # (&(objectClass=user)(memberof=CN=MYGROUP,CN=Users,dc=example,dc=com)) # OpenLDAP example: CN=Users,dc=example,dc=com LDAP_BASE_DN = '' ########################################################################## # Search ldap for further authentication (REQUIRED) # It can be optional while bind as pgAdmin user LDAP_SEARCH_BASE_DN = '' # Filter string for the user search. # For OpenLDAP, '(cn=*)' may well be enough. # For AD, you might use '(objectClass=user)' (REQUIRED) LDAP_SEARCH_FILTER = '(objectclass=*)' # Search scope for users (one of BASE, LEVEL or SUBTREE) LDAP_SEARCH_SCOPE = 'SUBTREE' # Use TLS? If the URI scheme is ldaps://, this is ignored. LDAP_USE_STARTTLS = False # TLS/SSL certificates. Specify if required, otherwise leave empty LDAP_CA_CERT_FILE = '' LDAP_CERT_FILE = '' LDAP_KEY_FILE = ''