Security
Form settings, SQL injection checks, security headers, etc.
The Security node contains various settings related to security, divided into sections as described below.
Form
The Form settings are used to activate antispam on forms. Once activated, a set of hidden input fields are generated when a form is rendered – if filled (by bots) the form is regarded as spam.
The following settings are available:
| Setting | Use | Notes |
|---|---|---|
| Activate antispam functionality - Forms | Activates antispam on Forms for Editors forms | Adds automatic hidden captcha fields and do bot checks when forms are submitted. Requires the 'formhidden' fields in the form templates |
| Activate antispam functionality – Users | Activates antispam on Extranet forms | Adds automatic hidden captcha fields and do bot checks when users are created. Requires 'hidden' fields in user create template |
| Activate antispam functionality – Comment | Activates antispam on Comment forms | Adds automatic hidden captcha fields and do bot checks when comments are submitted. Requires 'hidden' fields in comment edit template |
| Send notification to e-mail | Enter an email | An email with the blocked form content is sent to this address. |
| Seconds before post | Enter value in seconds, default is 2 seconds | Forms submitted before the value in seconds has passed since the last submit are marked as spam. |
| Allowed submits from same IP | Enter an value, default is 15 submits | If more than this number of forms are submitted from the same IP, they are marked as spam |
| IP submit timeframe in hours | Specify the IP quarantine length in hours, default is 24 hours | The timeframe the submit count from same IP will span over |
| Disable extended checks | Turns off seconds limit & IP submission limit completely |
SQL injection
The SQL Injection Check settings are used to tweak or disable our built-in SQL injection check security measures. When the SQL injection check is active - the default state - everything looking like an injection attempt will result in a temporary ban, and optionally a longer IP ban. The list of banned IPs can be found under \Files\System_BannedIps.txt with additional information about the cause of the ban. Only SQL injection attempts will return in IP bans – other forms of attack, such as cross scripting attempts, will only result in 404 on subsequent tries.
The following settings are available:
| Setting | Value | Notes |
|---|---|---|
| Disable SQL injection check | True/False | Disables SQL injection checks. We strongly advise against this |
| Do not ban IPs when injection is detected | True/False | Keeps SQL injection checks but turns off IP bans |
| Days to ban IP when injection is detected | Integer | Enter a ban length – defaults to 30 |
| Ignore the following form field names | Comma-separated list of field names | Disable SQL injection checks on specific fields |
| Whitelist IPs | Comma-separated list of IPs | |
| Send notification to e-mail | List of emails | The specified email addresses will receive a notification when SQL injection attempts are detected. Use comma to separate email addresses |
Security headers
The Security headers section allows you to enable or disable several different security-specific headers in http request headers:
| Setting | Value | Notes |
|---|---|---|
| Enable 'X-XSS-Protection: 1; mode=block' header | True/false | Blocks rendering if supporting browsers detect XSS attacks |
| Enable 'X-Content-Type-Options: nosniff' header | True/false | Instructs browsers to use mime-type from response headers |
| Enable 'X-Frame-Options: sameorigin' header | True/false | Prevents browsers from rendering a page in a frame, iframe, embed or object element on other websites |
| Referrer polity | Select a referrer policy | Referrer-Policy: no-referrer-when-downgrade is browser |
| Enable 'Strict-Transport-Security: max-age=(expire-time)' header (HTST) | True/false | Default expire-time is 2592000 seconds, which is 30 days. This header will cause problems if SSL certificate expires |
| Strict-Transport-Security max-age in seconds | Integer | The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. Default is 2592000 |
| Custom HTTP response headers | List of custom HTTP response headers | Use the format 'header-name: header-value'. Separate headers with [;]. Use for i.e. Content-Security-Policy headers |
Image validation and GetImage.ashx security
The Image validation settings control how GetImage.ashx processes on-demand image requests. Without restrictions, an attacker could generate millions of unique images by varying parameters such as width, height, format, and quality, which may cause a denial-of-service (DoS) situation. These settings allow you to define limits that reduce the attack surface and server load.
The following settings are available:
| Setting | Value | Notes |
|---|---|---|
| Enable image validation | True/False | Activates validation and enforcement of the settings below. |
| Minimum image width | Integer (px) | Requests smaller than this will be adjusted upwards. Prevents tiny images from triggering excessive file variations. |
| Minimum image height | Integer (px) | Requests shorter than this will be adjusted upwards. |
| Minimum image quality | Integer (1–100) or -1 for WebP lossless | Requests lower than this will be adjusted. Helps avoid very low-quality variations. |
| Maximum image width | Integer (px) | Requests wider than this will be capped. Prevents oversized image generation. |
| Maximum image height | Integer (px) | Requests taller than this will be capped. |
| Maximum image quality | Integer (1–100) or -1 for WebP lossless | Requests higher than this will be adjusted. |
| Allow WebP lossless compression | True/False | Controls whether Quality = -1 (lossless WebP) is permitted. If disabled, requests fall back to lossy quality. |
| Allowed image widths | List of integers (px) | If defined, only these widths are permitted. Other values are normalized to the nearest allowed. |
| Allowed image heights | List of integers (px) | If defined, only these heights are permitted. |
| Allowed image qualities | List of integers | If defined, only these quality values are permitted. |
| Allowed image parameters | List of parameter names | Explicitly whitelists query parameters such as Format, Quality, Ratio, crop, etc. Parameters not in the list are rejected. Image, Width, and Height are always allowed. |
Behavior
- Requests to
GetImage.ashxare validated against the configured limits. - Disallowed parameters return 400 Bad Request.
- Values outside min/max ranges are automatically normalized.
- If allowed lists are configured, invalid values are rounded to the nearest allowed option.
- Administrators logged into the backend can bypass validation with
skipValidation=true(useful for testing).
Example configuration
- Max width: 2000
- Max height: 2000
- Allowed widths: 500, 1000, 1500, 2000
- Allowed parameters:
Format, Quality, crop, Ratio
This ensures that only controlled sets of images can be generated, preventing attackers from exhausting system resources with arbitrary requests.
Debugging
The Debugging section makes it possible to disable various debugging & exception-related features:
| Setting | Used for | Notes |
|---|---|---|
| Do not allow debug=true | Disables the use of ?debug=true, dbstat=true etc. for users not logged in to the administration | |
| Throw exception from content modules | Throws a .NET exception if ContentModule.GetContent() has exceptions instead of rendering the exception on the page. Requires pool recycle | |
| Throw exception for templates | Throws a .NET exception if a Razor template has any errors at compile or runtime instead of rendering the exception on the page. Requires pool recycle | |
| Display friendly error message for templates and apps | Displays a friendly error message in frontend when a module or template exception occurs. Disables regular exceptions | |
| Friendly error message | Specify the friendly error messaged enabled using the previous setting |
DynamicWeb support
Finally, the Restrict access for support users setting allows you to remove angel-access from the solution. This is the access used by support staff to login to a solution when investigating issues.