Ziflow administrators configure default security settings in Settings > Security > General.

Available on: Free Standard Pro Enterprise

Note: Screen captures reflect the Enterprise edition of Ziflow. You may not see some features or options depending on your Ziflow edition.

Log into Ziflow. Select your user avatar and choose Settings > Security > General

Depending on the type of your Ziflow subscription, you may see different options:

Allow embedding the Ziflow application

(All editions)

Embedding Ziflow in an iframe can expose your account to clickjacking risks.
Use this setting to control which parts of the app (if any) are allowed to be embedded.

Allow popups to escape sandbox for Live Websites

(All editions)

When enabled, the Proof Viewer includes the allow-popups-to-escape-sandbox permission.
This allows JavaScript in live content proofs to open links in new windows.

Warning: Enabling this option reduces browser security. Only enable if absolutely necessary and you trust the content and its source.

Allow downloads for Live Websites

(paid plans only)

When enabled, allows downloads in live content proofs.

Warning: Enabling this option reduces browser security. Only enable if absolutely necessary and you trust the content and its source.

Allow users to stay logged in

(All editions)

Lets users select “Keep me logged in” on the login page to stay signed in for 7 days.

Note: If disabled, users will be logged out after 4 hours of inactivity.
Enterprise administrators: Use Keep authentication session to change the inactivity timeout.

Log out user when inactive for

Enterprise

The session timeout period before inactive users are logged out.

Note: Allow users to stay logged in overrides this setting. If Allow users to stay logged in is enabled, the log out user session timer starts after the user's 7-day period expires.

Disable user account when inactive for

Enterprise

Automatically disables user accounts after a set period of inactivity.

Account lockout

(All editions)

Locks a user’s account after 5 failed login attempts.
System admins can manually unlock accounts.

Note: This feature does not apply to users logging in with SSO.

Security best practices

Set a short session timeout for inactivity

Recommended: 30-60 minutes for sensitive environments; 2–8 hours for standard business use.
Do not allow users to stay logged in to reduce the risk of unauthorized access if a user leaves their device unattended.
If you allow users to stay logged in, use shorter session timeouts after the 7-day period to minimize exposure.

Educate users on safe session practices

Remind users not to enable “Keep me logged in” on shared or public devices.
Encourage manual logout when leaving devices unattended.

Only enable Allow popups to escape sandbox or Allow downloads for live website proofs if it’s absolutely necessary and you fully trust the content and its source

These settings reduce browser security and can expose users to potential risks.
When in doubt, keep these options disabled to maintain a safer review environment.

Related to

Configure general security settings

Security best practices

Was this article helpful?

Comments

<% if (block.html_url) { %> <%= block.name %> <% } else { %> <%= block.name %> <% } %>

Configure general security settings

Security best practices

Related articles

Was this article helpful?

Comments

<% if (block.html_url) { %> <%= block.name %> <% } else { %> <%= block.name %> <% } %>