Loading...
 

General Security tab

Overview
Use this tab to configure the general, site-wide security settings.
To Access
From the Security Admin page, click the General Security tab.



Option Description Default
Smarty security Do not allow PHP code in Smarty templates.
You should leave this on unless you know what you are doing.
Enabled
Extra Smarty functions Make additional PHP functions available as Smarty functions. This may be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra Smarty modifiers Make additional PHP functions available as Smarty modifiers. This may be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra Smarty directories Make additional directories available as Smarty directories. This may be needed for custom icons (clear temp/cache after changing).
There may be security implications. Make sure you know what you are doing.
None
HTML purifier HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
Enabled
Output should be HTML purified This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Disabled
Protect all sessions with HTTPS Always redirect to HTTPS to prevent a session hijack through network sniffing.
Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site
Disabled
HTTP Basic Authentication Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials.
Disable | SSL Only (Recommended) | Always
Disable
Prevent common passwords For improved security, prevent users from creating blacklisted passwords. Use default blacklist or create custom blacklists through Control Panel -> Log in -> Password Blacklist. Disabled
Require admin users to enter their password for some critical actions User password will be required for critical operations that can compromise the system security or stability, like adding users to the admin group Enabled
Allow sending newsletters through external clients Generate mailto links using the recipients as the BCC list.
This will expose the list if email addresses to all users allowed to send newsletters.
Disabled
Validate uploaded file content Do not trust user input and open the files to verify their content. Enabled
Allow the tiki_p_trust_input permission. Bypass user input filtering.
Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users.
Disabled
Quick permission assignment Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. Disabled
Verify HTTPS certificates of remote servers When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA)
Do not enforce verification | Enforce verification
None
Use CURL for HTTP connections Use CURL instead of sockets for server to server HTTP connections, when sockets are not available. Disabled
Debugger console A popup console with a list of all PHP and Smarty variables used to render the current webpage. It can be viewed by clicking 'Quick Administration->Smarty debug window' or by appending ?show_smarty_debug=1 or &show_smarty_debug=1 to the page URL. You may also execute SQL, watch vars and perform a number of other functions.
Only viewable by admins
Not suitable for production use.
Disabled
Tiki template viewing May not be functional in Tiki 14+ Disabled
Edit templates May not be functional in Tiki 14+ Disabled
Edit CSS Edit CSS files directly in the browser.
May not be functional in Tiki 14+
Disabled
User encryption Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored.
Enable personal, secure storage of sensitive data such as passwords
This is an experimental feature. Using it may cause loss of the encrypted data.
Disabled
Password domains Securely store extra user passwords and other user specific data for other "domains", or just for yourself Userkey
Use short lived CSRF tokens CSRF tokens generated will be valid for one use only and will have a limited life span
Changing the CSRF tokens to be short lived may lead to an increase of errors on submitting information when the users take a long time to finish an operation or the session is lost.
Disabled
Security timeout Sets the expiration of CSRF tickets and related forms. The session_lifetime preference is used for the default, if set, otherwise the session.gc_maxlifetime php.ini setting is used, subject to a default maximum of four hours in any case.
Minimum value is 30 seconds to avoid blocking everyone from being able to make any changes, including to this setting
14400 seconds
Require confirmation of an action if a possible CSRF is detected Disabled
HTTP header x-frame options The x-frame-options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> Enabled
Header value DENY | SAMEORIGIN DENY
HTTP header x-xss-protection The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers Enabled
Header value 0 | 1 | 1;mode=block 1;mode=block
HTTP header x-content-type-options The x-content-type-options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. Enabled
HTTP header content-security-policy The Content-Security-Policy header allows web site administrators to control resources the user agent is allowed to load for a given page. Enabled
Header value For example, to allow your Tiki to appear in an iframe on example.com set this value to frame-ancestors https://example.com/ None
HTTP header strict-transport-security The Strict-Transport-Security header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Enabled
Header value None
HTTP header public-key-pins The public-key-pins header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. Enabled
Header value None
Option Description Default
Smarty security Do not allow PHP code in Smarty templates.
You should leave this on unless you know what you are doing.
Enabled
Extra Smarty functions Make additional PHP functions available as Smarty functions. This may be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra Smarty modifiers Make additional PHP functions available as Smarty modifiers. This may be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra Smarty directories Make additional directories available as Smarty directories. This may be needed for custom icons (clear temp/cache after changing).
There may be security implications. Make sure you know what you are doing.
None
HTML purifier HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
Enabled
Output should be HTML purified This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Disabled
Protect all sessions with HTTPS Always redirect to HTTPS to prevent a session hijack through network sniffing.
Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site
Disabled
HTTP Basic Authentication Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials.
Disable | SSL Only (Recommended) | Always
Disable
Prevent common passwords For improved security, prevent users from creating blacklisted passwords. Use default blacklist or create custom blacklists through Control Panel -> Log in -> Password Blacklist. Disabled
Require admin users to enter their password for some critical actions User password will be required for critical operations that can compromise the system security or stability, like adding users to the admin group Enabled
Allow sending newsletters through external clients Generate mailto links using the recipients as the BCC list.
This will expose the list if email addresses to all users allowed to send newsletters.
Disabled
Validate uploaded file content Do not trust user input and open the files to verify their content. Enabled
Allow the tiki_p_trust_input permission. Bypass user input filtering.
Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users.
Disabled
Quick permission assignment Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. Disabled
Verify HTTPS certificates of remote servers When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA)
Do not enforce verification | Enforce verification
None
Use CURL for HTTP connections Use CURL instead of sockets for server to server HTTP connections, when sockets are not available. Disabled
Debugger console A popup console with a list of all PHP and Smarty variables used to render the current webpage. It can be viewed by clicking 'Quick Administration->Smarty debug window' or by appending ?show_smarty_debug=1 or &show_smarty_debug=1 to the page URL. You may also execute SQL, watch vars and perform a number of other functions.
Only viewable by admins
Not suitable for production use.
Disabled
Tiki template viewing May not be functional in Tiki 14+ Disabled
Edit templates May not be functional in Tiki 14+ Disabled
Edit CSS Edit CSS files directly in the browser.
May not be functional in Tiki 14+
Disabled
User encryption Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored.
Enable personal, secure storage of sensitive data such as passwords
This is an experimental feature. Using it may cause loss of the encrypted data.
Disabled
Password domains Securely store extra user passwords and other user specific data for other "domains", or just for yourself Userkey
Use short lived CSRF tokens CSRF tokens generated will be valid for one use only and will have a limited life span
Changing the CSRF tokens to be short lived may lead to an increase of errors on submitting information when the users take a long time to finish an operation or the session is lost.
Disabled
Security timeout Sets the expiration of CSRF tickets and related forms. The session_lifetime preference is used for the default, if set, otherwise the session.gc_maxlifetime php.ini setting is used, subject to a default maximum of four hours in any case.
Minimum value is 30 seconds to avoid blocking everyone from being able to make any changes, including to this setting
14400 seconds
Require confirmation of an action if a possible CSRF is detected Disabled
HTTP header x-frame options The x-frame-options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> Disabled
Header value DENY | SAMEORIGIN DENY
HTTP header x-xss-protection The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers Disabled
Header value 0 | 1 | 1;mode=block 1;mode=block
HTTP header x-content-type-options The x-content-type-options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. Disabled
HTTP header content-security-policy The Content-Security-Policy header allows web site administrators to control resources the user agent is allowed to load for a given page. Disabled
Header value For example, to allow your Tiki to appear in an iframe on example.com set this value to frame-ancestors https://example.com/ None
HTTP header strict-transport-security The Strict-Transport-Security header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Disabled
Header value None
HTTP header public-key-pins The public-key-pins header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. Disabled
Header value None
Option Description Default
Smarty security Do not allow PHP code in Smarty templates.
You should leave this on unless you know what you are doing.
Enabled
Extra Smarty functions Make additional PHP functions available as Smarty functions. This may be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra Smarty modifiers Make additional PHP functions available as Smarty modifiers. This may be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra Smarty directories Make additional directories available as Smarty directories. This may be needed for custom icons (clear temp/cache after changing).
There may be security implications. Make sure you know what you are doing.
None
HTML purifier HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
Enabled
Output should be HTML purified This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Disabled
Protect all sessions with HTTPS Always redirect to HTTPS to prevent a session hijack through network sniffing.
Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site
Disabled
HTTP Basic Authentication Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials.
Disable | SSL Only (Recommended) | Always
Disable
Prevent common passwords For improved security, prevent users from creating blacklisted passwords. Use default blacklist or create custom blacklists through Control Panel -> Log in -> Password Blacklist. Disabled
Allow sending newsletters through external clients Generate mailto links using the recipients as the BCC list.
This will expose the list if email addresses to all users allowed to send newsletters.
Disabled
Validate uploaded file content Do not trust user input and open the files to verify their content. Enabled
Allow the tiki_p_trust_input permission. Bypass user input filtering.
Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users.
Disabled
Quick permission assignment Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. Disabled
Verify HTTPS certificates of remote servers When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA)
Do not enforce verification | Enforce verification
None
Use CURL for HTTP connections Use CURL instead of sockets for server to server HTTP connections, when sockets are not available. Disabled
Debugger console A popup console with a list of all PHP and Smarty variables used to render the current webpage. It can be viewed by clicking 'Quick Administration->Smarty debug window' or by appending ?show_smarty_debug=1 or &show_smarty_debug=1 to the page URL. You may also execute SQL, watch vars and perform a number of other functions.
Only viewable by admins
Not suitable for production use.
Disabled
Tiki template viewing May not be functional in Tiki 14+ Disabled
Edit templates May not be functional in Tiki 14+ Disabled
Edit CSS Edit CSS files directly in the browser.
May not be functional in Tiki 14+
Disabled
User encryption Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored.
Enable personal, secure storage of sensitive data such as passwords
This is an experimental feature. Using it may cause loss of the encrypted data.
Disabled
Password domains Securely store extra user passwords and other user specific data for other "domains", or just for yourself Userkey
Security timeout Sets the expiration of CSRF tickets and related forms. The session_lifetime preference is used for the default, if set, otherwise the session.gc_maxlifetime php.ini setting is used, subject to a default maximum of four hours in any case.
Minimum value is 30 seconds to avoid blocking everyone from being able to make any changes, including to this setting
14400 seconds
Require confirmation of an action if a possible CSRF is detected Disabled
HTTP header x-frame options The x-frame-options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> Disabled
Header value DENY | SAMEORIGIN DENY
HTTP header x-xss-protection The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers Disabled
Header value 0 | 1 | 1;mode=block 1;mode=block
HTTP header x-content-type-options The x-content-type-options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. Disabled
HTTP header content-security-policy The Content-Security-Policy header allows web site administrators to control resources the user agent is allowed to load for a given page. Disabled
Header value For example, to allow your Tiki to appear in an iframe on example.com set this value to frame-ancestors https://example.com/ None
HTTP header strict-transport-security The Strict-Transport-Security header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Disabled
Header value None
HTTP header public-key-pins The public-key-pins header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. Disabled
Header value None

doc.tiki.org

Get Started

Admin Guide User Guide

Keywords

Keywords serve as "hubs" for navigation within the Tiki documentation. They correspond to development keywords (bug reports and feature requests):

Accessibility (WAI and 508)
Accounting
Articles and Submissions
Backlinks
Banners
Batch
BigBlueButton audio/video/chat/screensharing
Blog
Bookmark
Browser Compatibility
Link Cache
Calendar
Category
Chat
Clean URLs
Comments
Communication Center
Compression (gzip)
Contacts (Address Book)
Contact us
Content Templates
Contribution
Cookie
Copyright
Credit
Custom Home and Group Home Page
Date and Time
Debugger Console
Directory of hyperlinks
Documentation link from Tiki to doc.tiki.org (Help System)
Docs
Draw
Dynamic Content
Dynamic Variable
External Authentication
FAQ
Featured links
File Gallery
Forum
Friendship Network (Community)
Gmap Google maps
Groups
Hotword
HTML Page
i18n (Multilingual, l10n)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
Kaltura video management
Karma
Live Support
Login
Logs (system & action)
Look and Feel
Mail-in
Map with Mapserver
Menu
Meta Elements
Mobile Tiki and Voice Tiki
Module
MultiTiki
MyTiki
Newsletter
Notepad
Payment
Performance Speed / Load
Permissions
Platform independence (Linux-Apache, Windows/IIS, Mac, BSD)
Polls
Profiles
Profile Manager
Report
Toolbar
Quiz
Rating
Feeds
Score
Search engine optimization
Search
Search and Replace
Security
Semantic links
Shadowbox
Shadow Layers
Share
Shopping cart
Shoutbox
Slideshow
Smiley
Social Networks
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Stats
Surveys
Tags
Task
Tell a Friend, alert + Social Bookmarking
TikiTests
Theme CSS & Smarty
Tiki Manager
Trackers
Transitions
User Administration including registration and banning
User Files
User Menu
Watch
WebDAV
Webmail
Web Services
Wiki History, page rename, etc
Wiki Syntax
Wiki structure (book and table of content)
Workspace
WSOD
WYSIWYCA
WYSIWYG
XMLRPC

Tiki Newsletter

Delivered fresh to your email inbox!
Newsletter subscribe icon
Don't miss major announcements and other news!
Contribute to Tiki