Security
Form settings, SQL injection checks, security headers, etc.
The Security node contains various settings related to security, divided into sections as described below.
Form
The Form settings are used to activate antispam on forms. Once activated, a set of hidden input fields are generated when a form is rendered – if filled (by bots) the form is regarded as spam.
The following settings are available:
| Setting | Use | Notes |
|---|---|---|
| Activate antispam functionality - Forms | Activates antispam on Forms for Editors forms | Adds automatic hidden captcha fields and do bot checks when forms are submitted. Requires the 'formhidden' fields in the form templates |
| Activate antispam functionality – Users | Activates antispam on Extranet forms | Adds automatic hidden captcha fields and do bot checks when users are created. Requires 'hidden' fields in user create template |
| Activate antispam functionality – Comment | Activates antispam on Comment forms | Adds automatic hidden captcha fields and do bot checks when comments are submitted. Requires 'hidden' fields in comment edit template |
| Send a copy to email | Enter an email | An email with the blocked form content is sent to this address. |
| Seconds before post | Enter value in seconds, default is 2 seconds | Forms submitted before the value in seconds has passed since the last submit are marked as spam. |
| Allowed submits from same IP | Enter an value, default is 15 submits | If more than this number of forms are submitted from the same IP, they are marked as spam |
| IP submit timeframe in hours | Specify the IP quarantine length in hours, default is 24 hours | The timeframe the submit count from same IP will span over |
| Disable extended checks | Turns off seconds limit & IP submission limit completely |
SQL injection
The SQL Injection Check settings are used to tweak or disable our built-in SQL injection check security measures. When the SQL injection check is active - the default state - everything looking like an injection attempt will result in a temporary ban, and optionally a longer IP ban. The list of banned IPs can be found under \Files\System_BannedIps.txt with additional information about the cause of the ban. Only SQL injection attempts will return in IP bans – other forms of attack, such as cross scripting attempts, will only result in 404 on subsequent tries.
The following settings are available:
| Setting | Value | Notes |
|---|---|---|
| Disable SQL injection check | True/False | Disables SQL injection checks. We strongly advise against this |
| Do not ban IPs when injection is detected | True/False | Keeps SQL injection checks but turns off IP bans |
| Days to ban IP when injection is detected | Integer | Enter a ban length – defaults to 30 |
| Ignore the following form field names | Comma-separated list of field names | Disable SQL injection checks on specific fields |
| Whitelist IPs | Comma-separated list of IPs | |
| Send notification to e-mail | List of emails | The specified email addresses will receive a notification when SQL injection attempts are detected. Use comma to separate email addresses |
Security headers
The Security headers section allows you to enable or disable several different security-specific headers in http request headers:
| Setting | Value | Notes |
|---|---|---|
| Enable 'X-XSS-Protection: 1; mode=block' header | True/false | Blocks rendering if supporting browsers detect XSS attacks |
| Enable 'X-Content-Type-Options: nosniff' header | True/false | Instructs browsers to use mime-type from response headers |
| Enable 'X-Frame-Options: sameorigin' header | True/false | Prevents browsers from rendering a page in a frame, iframe, embed or object element on other websites |
| Referrer polity | Select a referrer policy | Referrer-Policy: no-referrer-when-downgrade is browser |
| Enable 'Strict-Transport-Security: max-age=(expire-time)' header | True/false | Default expire-time is 2592000 seconds, which is 30 days. This header will cause problems if SSL certificate expires |
| Strict-Transport-Security max-age in seconds | Integer | The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. Default is 2592000 |
| Custom HTTP response headers | List of custom HTTP response headers | Use the format 'header-name: header-value'. Separate headers with [;]. Use for i.e. Content-Security-Policy headers |
Debugging
The Debugging section makes it possible to disable various debugging & exception-related features:
| Setting | Used for | Notes |
|---|---|---|
| Do not allow debug=true | Disables the use of ?debug=true, dbstat=true etc. for users not logged in to the administration | |
| Throw exception from content modules | Throws a .NET exception if ContentModule.GetContent() has exceptions instead of rendering the exception on the page. Requires pool recycle | |
| Throw exception for templates | Throws a .NET exception if a Razor template has any errors at compile or runtime instead of rendering the exception on the page. Requires pool recycle | |
| Display friendly error message for templates and apps | Displays a friendly error message in frontend when a module or template exception occurs. Disables regular exceptions | |
| Friendly error message | Specify the friendly error messaged enabled using the previous setting |
DynamicWeb support
Finally, the Restrict access for support users setting allows you to remove angel-access from the solution. This is the access used by support staff to login to a solution when investigating issues.