- 04 Jan 2024
- 2 minutes to read
HTTP security settings
- Updated on 04 Jan 2024
- 2 minutes to read
HTTPS encrypts the user’s login data, so it’s difficult to detect a user’s username and password on the network. You need to enable HTTPS on your server before you turn on this setting, or you will be locked out of your site.
Every web server has a different method for enabling HTTPS, so you should check the documentation for your web server.
The HTTP security page has the following options.
Setting | Description | Notes |
---|---|---|
Secure cookies only | If the server is accepting only HTTPS connections it is recommended to enable sending of secure cookies. If enabled, please make sure that web server is not accepting http://, or set up permanent redirection to https:// address. When wwwroot address does not start with https:// this setting is turned off automatically. | - |
Only http cookies | Enables the PHP 5.2.0 feature. Browsers are instructed to send cookies with real http requests only. Cookies should not be accessible by scripting languages. This is not supported in all browsers, and it may not be fully compatible with current code. This helps to prevent some types of XSS attacks. | - |
Strict transport security | When enabled browsers are instructed to always use https:// protocol when accessing the server, and users cannot ignore SSL negotiation warnings. | Please note that if enabled, browsers will remember this setting for six months and will prevent access via http:// even if this setting is later disabled. |
Secure referrers | When enabled, browsers are instructed to always use https:// protocol when accessing the server, and users cannot ignore SSL negotiation warnings. | Please note that if enabled, browsers will remember this setting for six months and will prevent access via http://, even if this setting is later disabled. Strict transport security. |
Allow frame embedding | Allow embedding of this site in frames on external sites. Enabling of this feature is not recommended for security reasons. | - |
Permitted cross domain | Allow embedding of this site in frames on external sites. Enabling of this feature is not recommended for security reasons. The available options are:
| - |
cURL blocked hosts list | Put each entry on a new line. Valid entries are either:
Blank lines are not allowed. | - |
cURL allowed ports list | List of port numbers that cURL can connect to. Valid entries are integer numbers only. Put each entry on a new line. If left empty, then all ports are allowed. If set, in almost all cases, both 443 and 80 should be specified for cURL to connect to standard HTTPS and HTTP ports. | - |
Join the Totara Community for more resources to help you get the most out of Totara. You can also book a call to have a chat about your Totara platform with a dedicated Customer Success Manager.
© Copyright 2024 Totara Learning Solutions. All rights reserved. Some content originally obtained via GPLv3 license and continues to be available under GPLv3. All other content is the sole copyright of Totara Learning Solutions.