Live App Security Settings

This article provides an overview of the security options available within the Knack Builder.

Here at Knack, we take the security of your data seriously.

This article describes the Live App security settings in Knack which are included in the Pro, Corporate and Plus plans. For Builder security settings always available for all Knack plans, please see our Builder Security Settings article.

If you had had additional needs under US HIPAA laws, please see our webpage and Live App Security Settings: HIPAA Plans article.

 

Where do I access Live App Security Settings on Corporate or Plus plans?

The location of each of these settings are outlined in the detailed sections below.

Summary of Settings

• Inactivity Logout: Being inactive for 15 minutes logs you out of the Live App. Options: 1, 5, 10, 15, 30, 60 minutes
• Passwords: No common passwords, minimum of 8 character passwords. Options: 1 number, 1 special character, 1 uppercase character, 1 lowercase character, password expires every 60 days, can't use last 3 passwords
• Failed Logins: Lockout after 3 failed attempts within a 15 time period, lockout for 15 minutes after the failed attempts, sends user an email when they've been locked out. Options: Allow user to request password to reset account, send user an email no lockout
• IP Whitelisting: targets a Live App and which IP addresses can access that Live App
• Secure Browser: When an http:// URL is accessed, it automatically redirects to the https:// version.
• Enable Record History: When enabled, a history of record changes is available in the Builder. Retention periods for data history varies by plan. 
• Purge Deleted Records: When deleting any records, purge all associated history.

 

 

Inactivity Logout

Inactivity logout provides security measures to automatically log out your users when they are inactive within the Live App.

Activation

Inactivity logout settings can be enabled from the Settings section of the Builder under the User Logins.

To enable this setting, simply check the box labeled "Automatic inactivity log out. This setting applies to users in both the Builder and the Live App."

Additionally, you have the flexibility to modify the default logout time and customize the message that will be displayed on the user's screen one minute before the designated logout time.

 

Options

Knack’s available options for inactivity logout:

Description	Default	Options
Automatically log out after X minutes of inactivity	1	1, 5, 10, 15, 30, 60
Inactivity Message (this message is editable)	Still there? If so, click “Remain Logged In” below.

 

 

Passwords

Implementing longer and more intricate passwords is an effective approach to enhancing the security of your Live App pages.

Activation

Password settings can be enabled from the Settings section of the Builder under the User Logins.

These settings are disabled by default. You can check or uncheck the boxes to include the password requirements you desire your users follow when creating passwords.

You also have the option to set a password expiration period of 60 days for the customers (this message can be customized) and enforce the rule that they cannot reuse their last three passwords (this message can also be customized).

Options

Knack’s available options for passwords:

Description	Default
Passwords for an app must include:
Minimum 8 characters	disabled
No common passwords	disabled
Must include at least 1 number	disabled
Must include at least 1 special character	disabled
Must include at least 1 uppercase letter	disabled
Must include at least 1 lowercase letter	disabled
Additional Settings
Expire every 60 days (this message is editable)	N/A
Cannot reuse last 3 passwords (this message is editable)	N/A

 

 

Failed Logins

Failed login settings provide protection against brute force attacks, also referred to as brute force hacking. These attacks involve application programs attempting to access secured data behind login access by systematically guessing passwords, rather than using sophisticated methods.

Knack's failed login settings are designed to enhance security by protecting against repeated login attempts.

Activation

Failed login settings can be enabled from the Settings section of the Builder under the User Logins.

This setting is automatically enabled, but can be disabled by clicking the checkbox next to “Lock out users after too many failed logins. This can prevent "guessing." From there, you can change the default number of failed attempts and length of times before a user can attempt to log in again.

The message that appears on screen when users have been locked out is editable. Another option sends an email to the user if they’ve been locked out and/or allow them to reset their password again themselves.

 

Options

Knack’s available options for brute force login prevention:

Description	Default	Options
Lockout after X failed attempts within a X time period	3 || 1	3, 5, 10 || 1, 5, 15, 60
Lockout for X (length of time) after the above failed attempts	5	5, 15, 60, 1 day, Forever
Lockout message (this message is editable)	Account locked due to too many failed login attempts. Please wait before trying again.
Allow user to request password reset to unlock account	disabled	N/A
Password Reset Message (this message is editable)	You may also <a href="#home/knack-password/forgot">reset your password</a> to unlock your account.
Send user an email when locked out	enabled	N/A
Email message (this message is editable)	For your security, we're alerting you to the fact that your account has been locked out due to too many failed login attempts. If this was not you, please alert your admin right away.

 

 

IP Whitelisting

IP Whitelisting allows you to specify which IP addresses can access your Live App, whether it is a hosted or embedded app.

This feature does not impact the overall access to the API. The API is already secured through the use of API keys, so there is no need for additional IP protection.

Activation

IP whitelisting can be enabled from the Settings section of the Builder under the App Settings > Security tab.

This setting is enabled by checking the checkbox next to this setting. Be sure to click “Save Settings” at the bottom of the page to save your requirements.

 

 

Secure Browser

With this setting enabled, if anyone accesses your Live App on http://, they'll automatically redirect to the https:// version. This setting is an option for all existing apps and is enabled by default for new apps.

Activation

Secure browser settings can be enabled from the Settings section of the Builder under the App Settings > Security tab.

This setting is enabled by checking the checkbox next to this setting. Be sure to click “Save Settings” at the bottom of the page to save your requirements.

 

 

Enable Record History

When enabled, a history of record changes is available in the Records view of any table in the Builder. To learn more about record history, see our article here. 

 

 

Purge Deleted Records

At times, you may receive a request to permanently erase all data associated with a specific customer when dealing with customer information. To simplify this process, we have incorporated a feature specifically designed for this purpose.

Enabling this setting will result in the permanent deletion of all associated record history and any assets (files or images) that have been uploaded to the record when it is deleted.

When enabled, deleted records cannot be restored.

It's best to only turn this on when fulfilling a Subject Data request under GDPR, HIPAA, or other regulation.

Activation

Purge deleted records can be enabled from the Settings section of the Builder under the App Settings > Security tab.

This setting is enabled by checking the checkbox next to this setting. Be sure to click “Save Settings” at the bottom of the page to save your requirements.

 

 

Notes & Troubleshooting

• For more information on keeping your apps secure, check out our Security Best Practices.
• HIPAA accounts cannot currently add template/sample apps to the dashboard.

---