HTTP security settings

Secure cookies only

If the server is accepting only HTTPS connections it is recommended to enable sending of secure cookies. If enabled, please make sure that web server is not accepting http://, or set up permanent redirection to https:// address. When wwwroot address does not start with https:// this setting is turned off automatically.

-

Only http cookies

Enables the PHP 5.2.0 feature. Browsers are instructed to send cookies with real http requests only. Cookies should not be accessible by scripting languages. This is not supported in all browsers, and it may not be fully compatible with current code. This helps to prevent some types of XSS attacks.

-

Strict transport security

When enabled browsers are instructed to always use https:// protocol when accessing the server, and users cannot ignore SSL negotiation warnings.

Please note that if enabled, browsers will remember this setting for six months and will prevent access via http:// even if this setting is later disabled.

Secure referrers

When enabled, browsers are instructed to always use https:// protocol when accessing the server, and users cannot ignore SSL negotiation warnings.

Please note that if enabled, browsers will remember this setting for six months and will prevent access via http://, even if this setting is later disabled. Strict transport security.

Allow frame embedding

Allow embedding of this site in frames on external sites. Enabling of this feature is not recommended for security reasons.

-

Permitted cross domain

Allow embedding of this site in frames on external sites. Enabling of this feature is not recommended for security reasons.

The available options are:

• Default: Means that no rules are enforced through the site settings and the web client just uses default settings that might be configured outside the site.
• none: Browsers are instructed to prevent embedding of content from this server in external Flash or PDF files.
• master-only: The policies can be defined in main crossdomain.xml file.

-

cURL blocked hosts list

Put each entry on a new line. Valid entries are either:

• Full IPv4 or IPv6 addresses (such as 192.168.10.1, 0:0:0:0:0:0:0:1, ::1, fe80::) which match a single host
• CIDR notation (such as 231.54.211.0/20 or fe80::/64)
• A range of IP addresses (such as 231.3.56.10-20 or fe80::1111-bbbb) where the range applies to the last group of the address
• Domain names (such as localhost or example.com)
• Wildcard domain names (such as *.example.com or *.sub.example.com)

Blank lines are not allowed.

-

cURL allowed ports list

List of port numbers that cURL can connect to. Valid entries are integer numbers only. Put each entry on a new line. If left empty, then all ports are allowed. If set, in almost all cases, both 443 and 80 should be specified for cURL to connect to standard HTTPS and HTTP ports.

-