Wexflow Security - arunkumarrawat/Wexflow GitHub Wiki

Table of Contents

  1. Wexflow Security
  2. Production Security Recommendations
  3. JWT Configuration
    1. .NET 4.8
    2. .NET 9.0+
  4. Summary

Wexflow Security

Wexflow uses a secure authentication mechanism based on:

  • JWT (JSON Web Tokens)
  • PBKDF2-hashed passwords
  • HttpOnly secure cookies
  • HTTPS/SSL

These layers ensure that your workflows and API endpoints are well-protected in both development and production environments.

Production Security Recommendations

For secure deployments:

  • Enable HTTPS/SSL to encrypt all traffic.
  • Use strong passwords and update the default credentials.
  • Store the JWT secret securely and avoid hardcoding sensitive values.
  • Avoid storing JWT tokens in localStorage; Wexflow uses HttpOnly cookies instead.
  • Configure reasonable JWT expiration to reduce risk if a token is ever leaked.

These best practices help protect Wexflow from:

  • Cross-Site Scripting (XSS)
  • Cross-Site Tracing (XST) — Wexflow disables the HTTP TRACE method
  • Cross-Site Request Forgery (CSRF)
  • Man-in-the-Middle (MITM) attacks
  • Token theft or misuse
  • Weak password storage

JWT Configuration

You can configure the JWT secret key and token expiration time in both .NET 4.8 and .NET 9.0+ versions.

.NET 4.8

Edit the file:

C:\Program Files\Wexflow\Wexflow.Server.exe.config

Add or update these entries under <appSettings>:

<appSettings>
  <!-- Use a securely generated key (recommended 32+ bytes hex) -->
  <add key="JwtSecret" value="b7a3c04f10e84c3f95a3f3497bda8e32" />
  <add key="JwtExpireAtMinutes" value="1440" />
</appSettings>
  • JwtSecret: Symmetric secret key used to sign JWTs. Must be at least 128 bits (16 bytes); 256 bits (32 bytes) is safer.
  • JwtExpireAtMinutes: Token expiration duration in minutes (e.g., 1440 = 24 hours).

.NET 9.0+

Open the JSON configuration file:

Wexflow.Server/appsettings.json

And set:

{
  "JwtSecret": "b7a3c04f10e84c3f95a3f3497bda8e32",
  "JwtExpireAtMinutes": 1440
}
  • Keep this file out of source control if you're storing secrets directly.
  • Consider using environment variables or a secure secrets manager in production.

Summary

By using:

  • JWTs with expiration
  • Strong symmetric keys
  • Encrypted cookies
  • PBKDF2 for password hashing
  • HTTPS for secure transport

Wexflow significantly reduces common attack surfaces for workflow automation platforms.