Table of Contents

Security

Form settings, SQL injection checks, security headers, etc.

The Security node contains various settings related to security, divided into sections as described below.

Form

The Form settings are used to activate antispam on forms. Once activated, a set of hidden input fields are generated when a form is rendered – if filled (by bots) the form is regarded as spam.

The following settings are available:

Setting Use Notes
Activate antispam functionality - Forms Activates antispam on Forms for Editors forms Adds automatic hidden captcha fields and do bot checks when forms are submitted. Requires the 'formhidden' fields in the form templates
Activate antispam functionality – Users Activates antispam on Extranet forms Adds automatic hidden captcha fields and do bot checks when users are created. Requires 'hidden' fields in user create template
Activate antispam functionality – Comment Activates antispam on Comment forms Adds automatic hidden captcha fields and do bot checks when comments are submitted. Requires 'hidden' fields in comment edit template
Send a copy to email Enter an email An email with the blocked form content is sent to this address.
Seconds before post Enter value in seconds, default is 2 seconds Forms submitted before the value in seconds has passed since the last submit are marked as spam.
Allowed submits from same IP Enter an value, default is 15 submits If more than this number of forms are submitted from the same IP, they are marked as spam
IP submit timeframe in hours Specify the IP quarantine length in hours, default is 24 hours The timeframe the submit count from same IP will span over
Disable extended checks Turns off seconds limit & IP submission limit completely

SQL injection

The SQL Injection Check settings are used to tweak or disable our built-in SQL injection check security measures. When the SQL injection check is active - the default state - everything looking like an injection attempt will result in a temporary ban, and optionally a longer IP ban. The list of banned IPs can be found under \Files\System_BannedIps.txt with additional information about the cause of the ban. Only SQL injection attempts will return in IP bans – other forms of attack, such as cross scripting attempts, will only result in 404 on subsequent tries.

The following settings are available:

Setting Value Notes
Disable SQL injection check True/False Disables SQL injection checks. We strongly advise against this
Do not ban IPs when injection is detected True/False Keeps SQL injection checks but turns off IP bans
Days to ban IP when injection is detected Integer Enter a ban length – defaults to 30
Ignore the following form field names Comma-separated list of field names Disable SQL injection checks on specific fields
Whitelist IPs Comma-separated list of IPs
Send notification to e-mail List of emails The specified email addresses will receive a notification when SQL injection attempts are detected. Use comma to separate email addresses

Security headers

The Security headers section allows you to enable or disable several different security-specific headers in http request headers:

Setting Value Notes
Enable 'X-XSS-Protection: 1; mode=block' header True/false Blocks rendering if supporting browsers detect XSS attacks
Enable 'X-Content-Type-Options: nosniff' header True/false Instructs browsers to use mime-type from response headers
Enable 'X-Frame-Options: sameorigin' header True/false Prevents browsers from rendering a page in a frame, iframe, embed or object element on other websites
Referrer polity Select a referrer policy Referrer-Policy: no-referrer-when-downgrade is browser
Enable 'Strict-Transport-Security: max-age=(expire-time)' header True/false Default expire-time is 2592000 seconds, which is 30 days. This header will cause problems if SSL certificate expires
Strict-Transport-Security max-age in seconds Integer The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. Default is 2592000
Custom HTTP response headers List of custom HTTP response headers Use the format 'header-name: header-value'. Separate headers with [;]. Use for i.e. Content-Security-Policy headers

Debugging

The Debugging section makes it possible to disable various debugging & exception-related features:

Setting Used for Notes
Do not allow debug=true Disables the use of ?debug=true, dbstat=true etc. for users not logged in to the administration
Throw exception from content modules Throws a .NET exception if ContentModule.GetContent() has exceptions instead of rendering the exception on the page. Requires pool recycle
Throw exception for templates Throws a .NET exception if a Razor template has any errors at compile or runtime instead of rendering the exception on the page. Requires pool recycle
Display friendly error message for templates and apps Displays a friendly error message in frontend when a module or template exception occurs. Disables regular exceptions
Friendly error message Specify the friendly error messaged enabled using the previous setting

DynamicWeb support

Finally, the Restrict access for support users setting allows you to remove angel-access from the solution. This is the access used by support staff to login to a solution when investigating issues.

To top