Skip to content

Wexflow Security

Jump to bottom
Akram El Assas edited this page Jul 17, 2025 · 3 revisions

Table of Contents

  1. Wexflow Security
  2. Production Security Recommendations
  3. JWT Configuration
    1. .NET 4.8
    2. .NET 9.0+
  4. Summary

Wexflow Security

Wexflow uses a secure authentication mechanism based on:

  • JWT (JSON Web Tokens)
  • PBKDF2-hashed passwords
  • HttpOnly secure cookies
  • HTTPS/SSL

These layers ensure that your workflows and API endpoints are well-protected in both development and production environments.

Production Security Recommendations

For secure deployments:

  • Enable HTTPS/SSL to encrypt all traffic.
  • Use strong passwords and update the default credentials.
  • Store the JWT secret securely and avoid hardcoding sensitive values.
  • Avoid storing JWT tokens in localStorage; Wexflow uses HttpOnly cookies instead.
  • Configure reasonable JWT expiration to reduce risk if a token is ever leaked.

These best practices help protect Wexflow from:

  • Cross-Site Scripting (XSS)
  • Cross-Site Tracing (XST) — Wexflow disables the HTTP TRACE method
  • Cross-Site Request Forgery (CSRF)
  • Man-in-the-Middle (MITM) attacks
  • Token theft or misuse
  • Weak password storage

JWT Configuration

You can configure the JWT secret key and token expiration time in both .NET 4.8 and .NET 9.0+ versions.

.NET 4.8

Edit the file:

C:\Program Files\Wexflow\Wexflow.Server.exe.config

Add or update these entries under <appSettings>:

<appSettings>
  <!-- Use a securely generated key (recommended 32+ bytes hex) -->
  <add key="JwtSecret" value="b7a3c04f10e84c3f95a3f3497bda8e32" />
  <add key="JwtExpireAtMinutes" value="1440" />
</appSettings>
  • JwtSecret: Symmetric secret key used to sign JWTs. Must be at least 128 bits (16 bytes); 256 bits (32 bytes) is safer.
  • JwtExpireAtMinutes: Token expiration duration in minutes (e.g., 1440 = 24 hours).

.NET 9.0+

Open the JSON configuration file:

Wexflow.Server/appsettings.json

And set:

{
  "JwtSecret": "b7a3c04f10e84c3f95a3f3497bda8e32",
  "JwtExpireAtMinutes": 1440
}
  • Keep this file out of source control if you're storing secrets directly.
  • Consider using environment variables or a secure secrets manager in production.

Summary

By using:

  • JWTs with expiration
  • Strong symmetric keys
  • Encrypted cookies
  • PBKDF2 for password hashing
  • HTTPS for secure transport

Wexflow significantly reduces common attack surfaces for workflow automation platforms.

Copyright © Akram El Assas. All rights reserved.

  1. Install Guide
  2. HTTPS/SSL
  3. Screenshots
  4. Docker
  5. Configuration Guide
    1. Wexflow Server
    2. Wexflow.xml
    3. Admin Panel
    4. Authentication
  6. Persistence Providers
  7. Getting Started
  8. Android App
  9. Local Variables
  10. Global Variables
  11. REST Variables
  12. Functions
  13. Cron Scheduling
  14. Command Line Interface (CLI)
  15. REST API Reference
    1. Introduction
    2. JWT Authentication
    3. Sample Clients
      1. C# Client
      2. JavaScript Client
      3. PHP Client
      4. Python Client
      5. Go Client
      6. Rust Client
      7. Ruby Client
      8. Java Client
      9. C++ Client
    4. Security Considerations
    5. Swagger
    6. Workflow Notifications via SSE
      1. C# SSE Client
      2. JavaScript SSE Client
      3. PHP SSE Client
      4. Python SSE Client
      5. Go SSE Client
      6. Rust SSE Client
      7. Ruby SSE Client
      8. Java SSE Client
      9. C++ SSE Client
    7. Endpoints
  16. Samples
    1. Sequential workflows
    2. Execution graph
    3. Flowchart workflows
      1. If
      2. While
      3. Switch
    4. Approval workflows
      1. Simple approval workflow
      2. OnRejected workflow event
      3. YouTube approval workflow
      4. Form submission approval workflow
    5. Workflow events
  17. Logging
  18. Custom Tasks
    1. Introduction
    2. General
      1. Creating a Custom Task
      2. Wexflow Task Class Example
      3. Task Status
      4. Settings
      5. Loading Files
      6. Loading Entities
      7. Need A Starting Point?
    3. Installing Your Custom Task in Wexflow
      1. .NET Framework 4.8 (Legacy Version)
      2. .NET 8.0+ (Stable Version)
      3. Referenced Assemblies
      4. Updating a Custom Task
      5. Using Your Custom Task
    4. Suspend/Resume
    5. Logging
    6. Files
    7. Entities
    8. Shared Memory
    9. Designer Integration
      1. Registering the Task
      2. Adding Settings
    10. How to Debug a Custom Task?
  19. Built-in Tasks
    1. File system tasks
    2. Encryption tasks
    3. Compression tasks
    4. Iso tasks
    5. Speech tasks
    6. Hashing tasks
    7. Process tasks
    8. Network tasks
    9. XML tasks
    10. SQL tasks
    11. WMI tasks
    12. Image tasks
    13. Audio and video tasks
    14. Email tasks
    15. Workflow tasks
    16. Social media tasks
    17. Waitable tasks
    18. Reporting tasks
    19. Web tasks
    20. Script tasks
    21. JSON and YAML tasks
    22. Entities tasks
    23. Flowchart tasks
    24. Approval tasks
    25. Notification tasks
    26. SMS tasks
  20. Run from Source
  21. Fork, Customize, and Sync
Clone this wiki locally