Global settings

Parent	Configuration	Required	Default	Type	Description
`server`	`port`		`8080`	Integer	Port tia Viewer is listening to. This port must be mapped in host context by container start command (e.g.: `-p 80:8080` parameter for `docker run` )
`tia.license`	`path`		`/application/config/license/`	String	Path in container context containing the license file. This path or the license file must be mapped from permanent host file system. See Location of the license file (Vc) .
`tia.destinations.saphttp`	`host`			String	Hostname of the server with the content server
`tia.destinations.saphttp`	`port`			Integer	Port of the content server usually `80` or `443`
`tia.destinations.saphttp`	`protocol`		`https`	String	Protocol of the content server `http` or `https`
`tia.destinations.saphttp`	`path`		`/contentserver`	String	Context Path of the content server.
`tia`	`repositoryinstancemapping`		tia Viewer maps repositories to instance `default`, that are not explicitly mapped here.	List<String>	Relevant in CSV configuration, seehttps://kgs-software.atlassian.net/wiki/spaces/WIKI/pages/3246620679/Supported+Scenarios+Vc#Content-Server-Viewer-(CSV). This parameter allows to map repositories to instances that can be configured separately. For more information see Instance settings . Example in YAML configuration file: tia: repositoryinstancemapping: FI: finance HR: finance TR: default ZI: production
`tia`	`secKey`	❗	`ABC123`	String	This default is not intended for production use: Change this value
`tia.stamps`	`locations`			String	Default stamps available to all instances in addition to the instance specific stamps configured. Stamp files are supported in the following formats: JPEG, PNG, BMP, GIF Configuration allows to enter a folder e.g.: `file:///tmp/stamps/` one or more files: `"file:///tmp/stamps/accept.png, /tmp/stamps_new/declined.jpg"`
`tia.stamps`	`cacheSize`		`100`	Integer	Number of slots available in stamps cache entries. Each slot can hold one stamp file of size limited by `maxFileSize`. If more stamps are present, the oldest ones are removed from cache.
`tia.stamps`	`expireMinutes`		`10`	Integer	Lifetime of unused entries in stamp cache in minutes.
`tia.stamps`	`maxFileSize`		`10000000`	Integer	Max file size in bytes of each stamp file.
`tia.mail`	`view_mode`		`Popup`	String (Enum)	Triggers how emails are displayed and edited. Available values: `Popup` (new window/tab is opened), `Embedded` (in current window/tab)

HTTP Headers configuration

These parameters allow specification of HTTP Header required in web security contexts.

Incorrect settings of these parameters may result in tia Viewer Core not functioning correctly.

Parent	Configuration	Default	Type	Description
`spring.security.csp`	`policy`	default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-src 'self' blob:; object-src 'self'; media-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; manifest-src 'self'; worker-src 'self';	String	Content Security Policy. This setting secures communication between web server and browser against various attacks like XSS, or injections. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
`spring.security.cors`	`allowed-origins`	http(s)://localhost:<port>	String	CORS Header: Access-Control-Allowed-Origin. The Browser accepts resources from the allowed origin only. In the default, it will be created from: `${server.ssl.enabled:false}` → if `true`, HTTPS `${server.address`} `${server.port`} May be directly overwritten with `spring.security.cors.allowed-origins`: Allowed values are: `` ( Asterisk - from everywhere) <origin> (one absolute URL) Example:* spring.security.cors.allowed-origins: "*"
`spring.security.cors`	`allowed-headers`	Access-Control-Allow-Headers, Access-Control-Allow-Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Origin, Cache-Control, Content-Type, Authorization	List<String>	CORS Header: Access-Control-Allowed-Headers. The Headers, that are allowed by the browser. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers Allowed values are: (Asterisk - all Headers) List<String> (String list, comma seperated) Example:* spring.security.cors.allowed-headers: "*"
`spring.security.cors`	`allowed-headers`	Access-Control-Allow-Headers, Access-Control-Allow-Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Origin, Cache-Control, Content-Type, Authorization	List<String>	CORS Header: Access-Control-Allowed-Headers. The Headers, that are allowed by the browser. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers Allowed values are: (Asterisk - all Headers) List<String> (String list, comma seperated) Example:* spring.security.cors.allowed-headers: "*"
`spring.security.cors`	`allow-credentials`	`true`	Boolean	CORS Header: Access-Control-Allow-Credentials. Tell the browser, whether it allowes cross-origin request credentials or not (credentials may be in cookies etc.) See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials Example: tia.security.cors.allow-credentials: false
`spring.security.cors`	`allow-x-frame-options-from`	`DENY`	String(Enum)	CORS Header: X-Frame-Options. Tells the browser if it accept the content of the viewer when its embedded in an iFrame. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options Hint: This flag is obsolete when using CSP frame-ancestor Allowed values are: `` (Allow from everywhere) `DENY` `SAMEORIGIN` `ALLOW-FROM` XXXXXX (http-address [origin]) Example:* spring.security.cors.allow-x-frame-options-from: "*"
`spring.security.xss`	`mode`	`disabled`	String (Enum)	Cross-Site Protection Header. Should not be set in Production. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection Allowed values are: `block mode` `block` `disabled` Example: spring.security.xss.mode: block-mode