Loading...
 

General Security tab

Overview
Use this tab to configure the general, site-wide security settings.

To Access
From the Security Admin page, click the General Security tab.



Option Description Default
Smarty security Do not allow PHP code in Smarty templates.
You should leave this on unless you know what you are doing.
Enabled
Extra Smarty functions Make additional PHP functions available as smarty functions. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra Smarty modifiers Make additional PHP functions available as smarty modifiers. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra Smarty directories Make additional dirs available as smarty dirs. May be needed for custom icons (clear temp/cache after changing).
There may be security implications. Make sure you know what you are doing.
None
HTML purifier HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
Enabled
Output should be HTML purified This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Disabled
Protect all sessions with HTTPS Always redirect to HTTPS to prevent a session hijack through network sniffing.
Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site
Disabled
HTTP Basic Authentication Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials.
Disable | SSL Only (Recommended) | Always
Disable
Allow sending newsletters through external clients Generate mailto links using the recipients as the BCC list.
This will expose the list if email addresses to all users allowed to send newsletters.
Disabled
Validate uploaded file content Do not trust user input and open the files to verify their content. Enabled
Allow the tiki_p_trust_input permission. Bypasses user input filtering
Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users.
Disabled
Quick permission assignment Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. Disabled
User encryption Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored.
Enable personal, secure storage of sensitive data such as passwords
This is an experimental feature. Using it may cause loss of the encrypted data.
Disabled
Password domains Securely store extra user passwords and other user specific data for other “domains”, or just for yourself Userkey
Verify HTTPS certificates of remote servers When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA)
Do not enforce verification | Enforce verification
None
Debugger console Not suitable for production use. Disabled
Require confirmation of an action if a possible CSRF is detected Disabled
Protect against CSRF with a ticket Enabled

Option Description Default
Smarty Security Do not allow PHP code in Smarty templates.
You should leave this on unless you know what you are doing.
Enabled
Extra smarty functions Make additional PHP functions available as smarty functions. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra Smarty modifiers Make additional PHP functions available as smarty modifiers. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra smarty directories Make additional dirs available as smarty dirs. May be needed for custom icons (clear temp/cache after changing).
There may be security implications. Make sure you know what you are doing.
None
HTML Purifier HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
Enabled
Output should be HTML Purified This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Experimental.
Disabled
Protect all sessions with HTTPS Always redirect to HTTPS to prevent a session hijack through network sniffing.
Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site
Disabled
HTTP Basic Authentication Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials.
Disable | SSL Only (Recommended) | Always
Disable
Allow sending newsletters through external clients Generate mailto links using the recipients as the BCC list.
This will expose the list if email addresses to all users allowed to send newsletters.
Disabled
Validate uploaded file content Do not trust user input and open the files to verify their content. Enabled
Allow the tiki_p_trust_input permission. Bypasses user input filtering
Bypasses user input filtering
Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users.
Disabled
Quick Permission Assignment Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. Disabled
User Encryption Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored.
Enable personal, secure storage of sensitive data such as passwords
This is an experimental feature. Using it may cause loss of the encrypted data.
Disabled
Password Domains Securely store extra user passwords and other user specific data for other “domains”, or just for yourself Userkey
Verify HTTPS certificates of remote servers When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA)
Do not enforce verification | Enforce verification
None
Debugger console Debugger console
Not suitable for production use.
Disabled
Require confirmation of an action if a possible CSRF is detected Require confirmation of an action if a possible CSRF is detected Disabled
Protect against CSRF with a ticket Protect against CSRF with a ticket Enabled

Option Description Default
Smarty Security Do not allow PHP code in Smarty templates.
You should leave this on unless you know what you are doing.
Enabled
Extra smarty functions Make additional PHP functions available as smarty functions. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra Smarty modifiers Make additional PHP functions available as smarty modifiers. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra smarty directories Make additional dirs available as smarty dirs. May be needed for custom icons (clear temp/cache after changing).
There may be security implications. Make sure you know what you are doing.
None
HTML Purifier HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results.
Enabled
Output should be HTML Purified This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Experimental.
Disabled
Protect all sessions with HTTPS Always redirect to HTTPS to prevent a session hijack through network sniffing.
Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site
Disabled
HTTP Basic Authentication Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials.
Disable | SSL Only (Recommended) | Always
Disable
Allow sending newsletters through external clients Generate mailto links using the recipients as the BCC list.
This will expose the list if email addresses to all users allowed to send newsletters.
Disabled
Validate uploaded file content Do not trust user input and open the files to verify their content. Enabled
Allow the tiki_p_trust_input permission. Bypasses user input filtering
Bypasses user input filtering
Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users.
Disabled
Quick Permission Assignment Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. Disabled
User Encryption Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored.
Enable personal, secure storage of sensitive data such as passwords
This is an experimental feature. Using it may cause loss of the encrypted data.
Disabled
Password Domains Securely store extra user passwords and other user specific data for other “domains”, or just for yourself Userkey
Verify HTTPS certificates of remote servers When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA)
Do not enforce verification | Enforce verification
None
Debugger console Debugger console
Not suitable for production use.
Disabled
Require confirmation of an action if a possible CSRF is detected Require confirmation of an action if a possible CSRF is detected Disabled
Protect against CSRF with a ticket Protect against CSRF with a ticket Enabled

Option Description Default
Smarty Security Do not allow php code in smarty templates.
You should leave this on unless you know what you are doing.
Enabled
Extra smarty functions Make additional PHP functions available as smarty functions. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra smarty modifiers Make additional PHP functions available as smarty modifiers. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra smarty directories Make additional dirs available as smarty dirs. May be needed for custom icons (clear temp/cache after changing).
There may be security implications. Make sure you know what you are doing.
None
HTML Purifier HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C’s specifications.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Enabled
Output should be HTML Purified This enables HTML Purifier on outputs to filter potential remaining security problems like XSS.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Experimental.
Disabled
Allow HTML in menu option names and URLs If enabled, menu option names and URL-s are treated as HTML content and they are not escaped (no replacement of HTML special characters). This allows the use of HTML to insert images for example. Code must be valid. This allows menu item editors to put arbitrary HTML; only enable if you know what you are doing. Disabled
REALLY allow HTML (INSECURE) This needs to be checked for the parent preference to be actually enabled. This allows menu item editors to put arbitrary HTML, which could allow session hijacking; only enable if you know what you are doing. Disabled
Protect all sessions with HTTPS Always redirect to HTTPS to prevent session hijack through network sniffing.
Only activate if you have already configured SSL, otherwise, your will lock yourself out of Tiki
Disabled
HTTP Basic Authentication Check credentials from HTTP Basic Authentication, useful to allow webservices to use credentials.
Disable | SSL Only (Recommended) | Always
Disable
Allow sending newsletters through external clients Generate mailto links using the recipients as the BCC list.
This will expose the list if email addresses to all users allowed to send newsletters.
Disabled
Validate uploaded file content Do not trust user input and open the files to verify their content. Enabled
Allow the tiki_p_trust_input permission. Bypasses user input filtering
Bypasses user input filtering
Note, all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users.
Disabled
Quick Permission Assignment Quickperms allow to define classes of privileges and grant them to roles on objects. Disabled
User Encryption Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored.
Enable personal, secure storage of sensitive data, e.g. passwords
This is an experimental feature. Using it may cause loss of the encrypted data.
Disabled
Password Domains Securely store extra user passwords and other user specific data for other “domains”, or just for yourself Userkey
Debugger Console Debugger Console
Not suitable for production use.
Disabled
Require confirmation if possible CSRF detected Require confirmation if possible CSRF detected Disabled
Protect against CSRF with a ticket Protect against CSRF with a ticket Enabled

Option Description Default
Smarty Security Do not allow php code in smarty templates.
You should leave this on unless you know what you are doing.
Enabled
Extra smarty functions Make additional PHP functions available as smarty functions. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra smarty modifiers Make additional PHP functions available as smarty modifiers. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra smarty directories Make additional dirs available as smarty dirs. May be needed for custom icons (clear temp/cache after changing).
There may be security implications. Make sure you know what you are doing.
None
HTML Purifier HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C’s specifications.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Enabled
Output should be HTML Purified This enables HTML Purifier on outputs to filter potential remaining security problems like XSS.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Experimental.
Disabled
Allow HTML in menu option names and URLs If enabled, menu option names and URL-s are treated as HTML content and they are not escaped (no replacement of HTML special characters). This allows the use of HTML to insert images for example. Code must be valid. This allows menu item editors to put arbitrary HTML; only enable if you know what you are doing. Disabled
REALLY allow HTML (INSECURE) This needs to be checked for the parent preference to be actually enabled. This allows menu item editors to put arbitrary HTML, which could allow session hijacking; only enable if you know what you are doing. Disabled
Protect all sessions with HTTPS Always redirect to HTTPS to prevent session hijack through network sniffing.
Only activate if you have already configured SSL, otherwise, your will lock yourself out of Tiki
Disabled
HTTP Basic Authentication Check credentials from HTTP Basic Authentication, useful to allow webservices to use credentials.
Disable | SSL Only (Recommended) | Always
Disable
Allow sending newsletters through external clients Generate mailto links using the recipients as the BCC list.
This will expose the list if email addresses to all users allowed to send newsletters.
Disabled
Validate uploaded file content Do not trust user input and open the files to verify their content. Enabled
Allow the tiki_p_trust_input permission. Bypasses user input filtering
Bypasses user input filtering
Note, all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users.
Disabled
Quick Permission Assignment Quickperms allow to define classes of privileges and grant them to roles on objects. Disabled
User Encryption Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored.
Enable personal, secure storage of sensitive data, e.g. passwords
This is an experimental feature. Using it may cause loss of the encrypted data.
Disabled
Password Domains Securely store extra user passwords and other user specific data for other “domains”, or just for yourself Userkey
Debugger Console Debugger Console
Not suitable for production use.
Disabled
Require confirmation if possible CSRF detected Require confirmation if possible CSRF detected Disabled
Protect against CSRF with a ticket Protect against CSRF with a ticket Enabled

Option Description Default
Smarty Security Do not allow php code in smarty templates.
You should leave this on unless you know what you are doing.
Enabled
Extra smarty functions Make additional PHP functions available as smarty functions. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra smarty modifiers Make additional PHP functions available as smarty modifiers. May be needed for custom templates.
There may be security implications. Make sure you know what you are doing.
None
Extra smarty directories Make additional dirs available as smarty dirs. May be needed for custom icons (clear temp/cache after changing).
There may be security implications. Make sure you know what you are doing.
None
HTML Purifier HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C’s specifications.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Enabled
Output should be HTML Purified This enables HTML Purifier on outputs to filter potential remaining security problems like XSS.
If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature.
Experimental.
Disabled
Allow HTML in menu option names and URLs If enabled, menu option names and URL-s are treated as HTML content and they are not escaped (no replacement of HTML special characters). This allows the use of HTML to insert images for example. Code must be valid. This allows menu item editors to put arbitrary HTML; only enable if you know what you are doing. Disabled
REALLY allow HTML (INSECURE) This needs to be checked for the parent preference to be actually enabled. This allows menu item editors to put arbitrary HTML, which could allow session hijacking; only enable if you know what you are doing. Disabled
Protect all sessions with HTTPS Always redirect to HTTPS to prevent session hijack through network sniffing.
Only activate if you have already configured SSL, otherwise, your will lock yourself out of Tiki
Disabled
HTTP Basic Authentication Check credentials from HTTP Basic Authentication, useful to allow webservices to use credentials.
Disable | SSL Only (Recommended) | Always
Disable
Allow sending newsletters through external clients Generate mailto links using the recipients as the BCC list.
This will expose the list if email addresses to all users allowed to send newsletters.
Disabled
Validate uploaded file content Do not trust user input and open the files to verify their content. Enabled
Allow the tiki_p_trust_input permission. Bypasses user input filtering
Bypasses user input filtering
Note, all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users.
Disabled
Quick Permission Assignment Quickperms allow to define classes of privileges and grant them to roles on objects. Disabled
User Encryption Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored.
Enable personal, secure storage of sensitive data, e.g. passwords
This is an experimental feature. Using it may cause loss of the encrypted data.
Disabled
Password Domains Securely store extra user passwords and other user specific data for other “domains”, or just for yourself Userkey
Debugger Console Debugger Console
Not suitable for production use.
Disabled
Require confirmation if possible CSRF detected Require confirmation if possible CSRF detected Disabled
Protect against CSRF with a ticket Protect against CSRF with a ticket Enabled



doc.tiki.org


Bootstrap

AdminGuide

UserGuide

Keywords

Keywords serve as “hubs” for navigation within the Tiki documentation. They correspond to development keywords (bug reports and feature requests):

Accessibility (WAI and 508)
Accounting (7.x)
Articles and Submissions
Backlinks
Banners
Batch (6.x)
BigBlueButton audio/video/chat/screensharing (5.x)
Blog
Bookmark
Browser Compatibility
Link Cache
Calendar
Category
Chat
Clean URLs
Comments
Communication Center
Compression (gzip)
Contacts (Address Book)
Contact us
Content Templates
Contribution (2.x)
Cookie
Copyright
Credit (6.x)
Custom Home and Group Home Page
Date and Time
Debugger Console
Directory of hyperlinks
Documentation link from Tiki to doc.tiki.org (Help System)
Docs 8.x
Draw 7.x
Dynamic Content
Dynamic Variable
External Authentication
FAQ
Featured links
File Gallery
Forum
Friendship Network (Community)
Gmap Google maps
Groups
Hotword
HTML Page
i18n (Multilingual, l10n, Babelfish)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
Kaltura video management (4.x)
Karma
Live Support
Login
Logs (system & action)
Look and Feel
Lost edit protection
Mail-in
Map with Mapserver
Menu
Meta Tags
Mobile Tiki and Voice Tiki
Mods
Module
MultiTiki
MyTiki
Newsletter
Notepad
Payment
Performance Speed / Load
Permissions
Platform independence (Linux-Apache, Windows/IIS, Mac, BSD)
Polls
Profiles
Profile Manager
Report
Toolbar
Quiz
Rating
Feeds
Score
Search engine optimization
Search
Search and Replace
Security
Semantic links (3.x)
Shadowbox
Shadow Layers
Share
Shopping cart
Shoutbox
Slideshow
Smiley
Social Networks
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Stats
Surveys
Tags (2.x)
Task
Tell a Friend, alert + Social Bookmarking
TikiTests (2.x)
Theme CSS & Smarty
Trackers
Transitions (5.x)
TRIM
User Administration including registration and banning
User Files
User Menu
Watch
WebHelp
WebDAV (5.x)
Webmail
Web Services
Wiki 3D
Wiki History, page rename, etc
Wiki Page Staging and Approval (2.x)
Wiki Plugin extends basic syntax
Wiki Syntax
Wiki structure (book and table of content)
Workspace
WSOD
WYSIWYCA
WYSIWYG (2.x)
XMLRPC


Tiki Newsletter

Delivered fresh to your email inbox!
Newsletter subscribe icon
Don't miss major announcements and other news!
Contribute to Tiki
Show php error messages