Form.io configuration should prioritize API security, role-scoped form access, and predictable submission retention.
PORT=3001
MONGO=mongodb://127.0.0.1:27017/formio
JWT_SECRET=replace-with-long-random-secret
BASE_URL=https://forms.example.com
¶ API and role policy
- Use project-level roles with least privilege.
- Restrict admin endpoints and enforce MFA/SSO where available.
- Scope API keys/tokens to required operations only.
¶ Submission and file handling
- Apply field validation and upload size limits.
- Define retention/deletion policy for submission records.
- Separate public forms from internal staff forms.
¶ Backup and recovery
Back up MongoDB and file storage backends. Validate restored forms and submission API responses.
- API auth failures monitored.
- Submission queue/errors monitored.
- Backup restore tested.
- JWT/key rotation policy documented.
Feel free to contact us. Find all contact information on our contact page.