Score
| Option | Description | Default |
|---|---|---|
| Score | Score is a game to motivate participants to increase their contribution by comparing to other users. | Disabled |
| Score expiry | 0 days |
| Option | Description | Default |
|---|---|---|
| Score | Score is a game to motivate participants to increase their contribution by comparing to other users. | Disabled |
| Score expiry | 0 days |
| Option | Description | Default |
|---|---|---|
| Score | Score is a game to motivate participants to increase their contribution by comparing to other users. | Disabled |
| Score expiry | 0 days |
| Option | Description | Default |
|---|---|---|
| Score | Score is a game to motivate participants to increase their contribution by comparing to other users. | Disabled |
| Score expiry | 0 days |
| Option | Description | Default |
|---|---|---|
| Score | Score is a game to motivate participants to increase their contribution by comparing to other users. | Disabled |
| Score expiry | 0 days |
Search - Federated search
| Option | Description | Default |
|---|---|---|
| Federated search | Search through alternate site indices. Elasticsearch or Manticore Search is required |
Disabled |
| Elasticsearch tribe node URL | URL of the tribe client node accessing multiple clusters. | None |
| Manticore distributed index prefix | The prefix used when creating distributed index in Manticore. This needs to be the same for all sites participating in the federation. | Tiki_ |
| Option | Description | Default |
|---|---|---|
| Federated search | Search through alternate site indices. Elasticsearch or Manticore Search is required |
Disabled |
| Elasticsearch tribe node URL | URL of the tribe client node accessing multiple clusters. | None |
| Manticore distributed index prefix | The prefix used when creating distributed index in Manticore. This needs to be the same for all sites participating in the federation. | Tiki_ |
| Option | Description | Default |
|---|---|---|
| Federated search | Search through alternate site indices. Elasticsearch or Manticore Search is required |
Disabled |
| Elasticsearch tribe node URL | URL of the tribe client node accessing multiple clusters. | None |
| Manticore distributed index prefix | The prefix used when creating distributed index in Manticore. This needs to be the same for all sites participating in the federation. | Tiki_ |
| Option | Description | Default |
|---|---|---|
| Federated search | Search through alternate site indices. Elasticsearch is required |
Disabled |
| Elasticsearch tribe node URL | URL of the tribe client node accessing multiple clusters. | None |
| Option | Description | Default |
|---|---|---|
| Federated search | Search through alternate site indices. Elasticsearch is required |
Disabled |
| Elasticsearch tribe node URL | URL of the tribe client node accessing multiple clusters. | None |
Search - General settings
| Option | Description | Default |
|---|---|---|
| Unified search index | Enables searching for content at the site using a Tiki-managed index. It's recommended to set a cron job to periodically rebuild the search index. |
Enabled |
| Search statistics | Enables administrators to collect and view statistics on search activity. | Disabled |
| Users available in search results | Users available within search results. Content related to the user will be included in the index. None | All | Public |
None |
| Incremental Index Update | Update the index incrementally as the site content is modified. This may lead to lower performance and accuracy than processing the index on a periodic basis. |
Enabled |
| Search index rebuild memory limit | Temporarily adjust the memory limit to use during Search index rebuild. Depending on the volume of data, some large operations require more memory. Increasing it locally, per operation, allows to keep a lower memory limit globally. Keep in mind that memory usage is still limited to what is available on the server. for example: 256M |
None |
| Search index rebuild time limit | Temporarily adjust the time limit to use during Search index rebuild. Depending on the volume of data, some requests may take longer. Increase the time limit locally to resolve the issue. Use reasonable values. for example: 30 |
None |
| Unified search engine | Search engine used to index the content of this Tiki site. Some engines are more suitable for larger sites, but require additional software on the server. MySQL full-text search | Elasticsearch | Manticore Search |
MySQL full-text search |
| Elasticsearch URL | URL of any node in the cluster | http://localhost:9200 |
| Elasticsearch Authentication | When Elasticsearch security module is enabled, user authentication can be set up here. No Authentication | Basic Authentication |
None |
| Elasticsearch User | HTTP basic authentication user to be sent with each request to Elasticsearch. | None |
| Elasticsearch Password | HTTP basic authentication password to be sent with each request to Elasticsearch. | None |
| Elasticsearch index prefix | The prefix that is used for all indexes for this installation in Elasticsearch | Tiki_ |
| Elasticsearch current index | A new index is created upon rebuilding, and the old one is then destroyed. This setting enables seeing the currently active index. Do not change this value unless you know what you are doing. |
None |
| Elasticsearch field limit per index | The maximum number of fields per search index in Elasticsearch version 5.x and above | 1000 fields |
| Relation types to index within object. | Comma-separated relation types for which objects should be indexed in their related objects. Elasticsearch needed |
None |
| Use MySQL Full-Text Search (fallback) | In case of Elasticsearch is active and unavailable, use MySQL Full-Text Search as fallback | Disabled |
| MySQL use short field names | Due to frm file constraints, number of search fields that one index can hold is usually limited to about 1500. This can be exceeded if you have numerous tracker fields. Enabling this option will try to shorten the field names internally that should allow you to use 300-500 more fields. Switching this option requires full index rebuild. | Disabled |
| Restore old MySQL indexes during reindex | If set, after the reindex is performed, old table MySQL indexes will be restored to the reindex related table. | Disabled |
| Manticore URL | URL of the Manticore search server | http://127.0.0.1 |
| Manticore HTTP(S) Port | Port number for the HTTP(S) interface. | 9308 |
| Manticore MySQL Port | Port number for the MySQL interface. | 9306 |
| Manticore index prefix | The prefix that is used for all indexes for this installation in Manticore | Tiki_ |
| Manticore current index | A new set of indexes are created upon rebuilding, and the old ones are then destroyed. This setting enables seeing the currently active index prefix. Do not change this value unless you know what you are doing. |
None |
| Morphology processing | Advanced morphology preprocessors to apply in the Manticore index, comma-separated. For example libstemmer_en,libstemmer_fr. See Manticore manual for possible values. | None |
| Manticore indexed full-text fields | Manticore has a hard-limit of 256 full-text indexed fields per index. If your installation has more, some will be indexed as string attributes and perform the slower regex search. You can add a comma-separated list of fields to always index as full-text here. | title,contents |
| Default Boolean Operator | Use OR or AND as the default search operator. AND | OR |
AND |
| Excluded categories | List of category IDs to exclude from the search index | None |
| Excluded plugins | List of plugin names to exclude while indexing | None |
| Additional plugins searchable by default | List of plugin names that are required to additionnaly include while indexing. Example: fancytable,list,trackerlist,trackerfilter | attach, box, code, copyrigh... |
| Don't index non searchable fields | Indexing will skip adding all tracker fields that are not marked as "searchable". This will free index space but also make it impossible to use those fields in search index queries. | Disabled |
| Index forum replies together with initial post | Forum replies will be indexed together with the initial post as a single document instead of being indexed separately. | Enabled |
| Tokenize version numbers | Tokenize version number strings so that major versions are found when sub-versions are mentioned. For example, searching for 2.7 would return documents containing 2.7.4, but not 1.2.7. | Disabled |
| Tokenize CamelCase words | Consider the components of camel-case words as separate tokens, allowing them to be searched individually. Conflicts with Tokenize Version Numbers. |
Disabled |
| Possessive Stemmer | The possessive stemmer removes possessives (trailing "'s") from words before indexing them. | Enabled |
| Field weights | Allow the field weights to be set that apply when ranking pages in the search results. The weight is applied only when the field is in the query. To nullify the value of a field, use an insignificant amount, but not 0, which may lead to unexpected behaviors such as stripping of results. (Add these fields to the "Default content fields" preference below for it to have an effect in a global "content" search) One field per line, field_name:5.3 |
title:2.5 allowed_groups:0.... |
| Default content fields | All of the content is aggregated in the contents field. For custom weighting to apply, the fields must be included in the query. This option allows other fields to be included in the default content search. | contents, title |
| Cache per user and query for Tiki built-in search | Time in minutes a user has a same query cached applied to Tiki built-in search interface only. | 0 minutes |
| Cache result-specific formatted results | Formatted search results such as the ones used in the List plugin will be cached to prevent process-intensive reformatting on each page load. The cache is result-specific. Every different result will generate a separate cache. This could quickly build up a large cache directory. It is recommended to clear Tiki caches often (e.g. once per week) via an automated job if you use this feature. |
Disabled |
| Cache individual search formatters | List of search formatters whose output will be cached. This is separate to the result-specific formatted results cache. | None |
| LIST plugin cache default on | If selected, LIST plugins will be cached by default unless turned off at plugin level. | Disabled |
| LIST plugin cache default expiry | Default number of minutes for LIST plugin cache expiry. | 30 |
| Index Tracker Category names | Index the names and paths of category field values Requires reindexing |
Enabled |
| Use unified search in category admin | Use unified search to find objects to add to categories. This limits the types of objects available to those included in the unified index. | Disabled |
| Automatically trim Elasticsearch results on date-sorted query | Automatically trim Elasticsearch results in unified search if the query is sorted by modification or creation date. | Disabled |
| Show error on missing field | When using List plugin to specify certain fields, especially tracker fields, this check helps ensure their names were entered correctly. | Enabled |
| Stop Word List | Words excluded from the search index, because they can be too frequent and produce unwanted results. MySQL full-text search has its own list of stop words configured in the server. |
a, an, and, are, as, at, be... |
| Search index outdated | Number of days to consider the search index outdated | 2 days |
| Automatic indexing of file content | Uses command line tools to extract the information from the files based on their MIME types. | Disabled |
| Automatic indexing of emails stored as files | Parses message/rfc822 types of files (aka eml files) and stores individual email headers and content in search index. | Disabled |
| Asynchronous indexing | Enabled | |
| Autocomplete page names | Automatically complete page names as the user starts typing. For example the user types the start of the wiki page name “Sear” and Tiki returns “Search”, “Search General Settings”, etc | Disabled |
| Referer search highlighting | When a user lands on a Tiki page from a search engine, Tiki highlights the search words they used. Its similar to using Tiki’s search facility. | Enabled |
| File thumbnail preview | Have a preview of attachments in search results | Disabled |
| Forum name search | When listing forums | Disabled |
| Forum content search | When listing forums | Enabled |
| Topic content search | Enabled | |
| Unified search for forums and file galleries | Enabled |
| Option | Description | Default |
|---|---|---|
| Unified search index | Enables searching for content at the site using a Tiki-managed index. It's recommended to set a cron job to periodically rebuild the search index. |
Enabled |
| Search statistics | Enables administrators to collect and view statistics on search activity. | Disabled |
| Users available in search results | Users available within search results. Content related to the user will be included in the index. None | All | Public |
None |
| Incremental Index Update | Update the index incrementally as the site content is modified. This may lead to lower performance and accuracy than processing the index on a periodic basis. |
Enabled |
| Search index rebuild memory limit | Temporarily adjust the memory limit to use during Search index rebuild. Depending on the volume of data, some large operations require more memory. Increasing it locally, per operation, allows to keep a lower memory limit globally. Keep in mind that memory usage is still limited to what is available on the server. for example: 256M |
None |
| Search index rebuild time limit | Temporarily adjust the time limit to use during Search index rebuild. Depending on the volume of data, some requests may take longer. Increase the time limit locally to resolve the issue. Use reasonable values. for example: 30 |
None |
| Unified search engine | Search engine used to index the content of this Tiki site. Some engines are more suitable for larger sites, but require additional software on the server. MySQL full-text search | Elasticsearch | Manticore Search |
MySQL full-text search |
| Elasticsearch URL | URL of any node in the cluster | http://localhost:9200 |
| Elasticsearch Authentication | When Elasticsearch security module is enabled, user authentication can be set up here. No Authentication | Basic Authentication |
None |
| Elasticsearch User | HTTP basic authentication user to be sent with each request to Elasticsearch. | None |
| Elasticsearch Password | HTTP basic authentication password to be sent with each request to Elasticsearch. | None |
| Elasticsearch index prefix | The prefix that is used for all indexes for this installation in Elasticsearch | Tiki_ |
| Elasticsearch current index | A new index is created upon rebuilding, and the old one is then destroyed. This setting enables seeing the currently active index. Do not change this value unless you know what you are doing. |
None |
| Elasticsearch field limit per index | The maximum number of fields per search index in Elasticsearch version 5.x and above | 1000 fields |
| Relation types to index within object. | Comma-separated relation types for which objects should be indexed in their related objects. Elasticsearch needed |
None |
| Use MySQL Full-Text Search (fallback) | In case of Elasticsearch is active and unavailable, use MySQL Full-Text Search as fallback | Disabled |
| MySQL use short field names | Due to frm file constraints, number of search fields that one index can hold is usually limited to about 1500. This can be exceeded if you have numerous tracker fields. Enabling this option will try to shorten the field names internally that should allow you to use 300-500 more fields. Switching this option requires full index rebuild. | Disabled |
| Restore old MySQL indexes during reindex | If set, after the reindex is performed, old table MySQL indexes will be restored to the reindex related table. | Disabled |
| Manticore URL | URL of the Manticore search server | http://127.0.0.1 |
| Manticore HTTP(S) Port | Port number for the HTTP(S) interface. | 9308 |
| Manticore MySQL Port | Port number for the MySQL interface. | 9306 |
| Manticore index prefix | The prefix that is used for all indexes for this installation in Manticore | Tiki_ |
| Manticore current index | A new set of indexes are created upon rebuilding, and the old ones are then destroyed. This setting enables seeing the currently active index prefix. Do not change this value unless you know what you are doing. |
None |
| Morphology processing | Advanced morphology preprocessors to apply in the Manticore index, comma-separated. For example libstemmer_en,libstemmer_fr. See Manticore manual for possible values. | None |
| Manticore indexed full-text fields | Manticore has a hard-limit of 256 full-text indexed fields per index. If your installation has more, some will be indexed as string attributes and perform the slower regex search. You can add a comma-separated list of fields to always index as full-text here. | title,contents |
| Default Boolean Operator | Use OR or AND as the default search operator. AND | OR |
AND |
| Excluded categories | List of category IDs to exclude from the search index | None |
| Excluded plugins | List of plugin names to exclude while indexing | None |
| Additional plugins searchable by default | List of plugin names that are required to additionnaly include while indexing. Example: fancytable,list,trackerlist,trackerfilter | attach, box, code, copyrigh... |
| Don't index non searchable fields | Indexing will skip adding all tracker fields that are not marked as "searchable". This will free index space but also make it impossible to use those fields in search index queries. | Disabled |
| Index forum replies together with initial post | Forum replies will be indexed together with the initial post as a single document instead of being indexed separately. | Enabled |
| Tokenize version numbers | Tokenize version number strings so that major versions are found when sub-versions are mentioned. For example, searching for 2.7 would return documents containing 2.7.4, but not 1.2.7. | Disabled |
| Tokenize CamelCase words | Consider the components of camel-case words as separate tokens, allowing them to be searched individually. Conflicts with Tokenize Version Numbers. |
Disabled |
| Possessive Stemmer | The possessive stemmer removes possessives (trailing "'s") from words before indexing them. | Enabled |
| Field weights | Allow the field weights to be set that apply when ranking pages in the search results. The weight is applied only when the field is in the query. To nullify the value of a field, use an insignificant amount, but not 0, which may lead to unexpected behaviors such as stripping of results. (Add these fields to the "Default content fields" preference below for it to have an effect in a global "content" search) One field per line, field_name:5.3 |
title:2.5 allowed_groups:0.... |
| Default content fields | All of the content is aggregated in the contents field. For custom weighting to apply, the fields must be included in the query. This option allows other fields to be included in the default content search. | contents, title |
| Cache per user and query for Tiki built-in search | Time in minutes a user has a same query cached applied to Tiki built-in search interface only. | 0 minutes |
| Cache result-specific formatted results | Formatted search results such as the ones used in the List plugin will be cached to prevent process-intensive reformatting on each page load. The cache is result-specific. Every different result will generate a separate cache. This could quickly build up a large cache directory. It is recommended to clear Tiki caches often (e.g. once per week) via an automated job if you use this feature. |
Disabled |
| Cache individual search formatters | List of search formatters whose output will be cached. This is separate to the result-specific formatted results cache. | None |
| LIST plugin cache default on | If selected, LIST plugins will be cached by default unless turned off at plugin level. | Disabled |
| LIST plugin cache default expiry | Default number of minutes for LIST plugin cache expiry. | 30 |
| Format to use for tracker field keys | Choose between field IDs and permanent names for the tracker indexing Permanent name | Field ID (backward compatibility mode with Tiki 7 and 8) |
Permanent name |
| Index Tracker Category names | Index the names and paths of category field values Requires reindexing |
Enabled |
| Use unified search in category admin | Use unified search to find objects to add to categories. This limits the types of objects available to those included in the unified index. | Disabled |
| Automatically trim Elasticsearch results on date-sorted query | Automatically trim Elasticsearch results in unified search if the query is sorted by modification or creation date. | Disabled |
| Show error on missing field | When using List plugin to specify certain fields, especially tracker fields, this check helps ensure their names were entered correctly. | Enabled |
| Stop Word List | Words excluded from the search index, because they can be too frequent and produce unwanted results. MySQL full-text search has its own list of stop words configured in the server. |
a, an, and, are, as, at, be... |
| Search index outdated | Number of days to consider the search index outdated | 2 days |
| Automatic indexing of file content | Uses command line tools to extract the information from the files based on their MIME types. | Disabled |
| Automatic indexing of emails stored as files | Parses message/rfc822 types of files (aka eml files) and stores individual email headers and content in search index. | Disabled |
| Asynchronous indexing | Enabled | |
| Autocomplete page names | Automatically complete page names as the user starts typing. For example the user types the start of the wiki page name “Sear” and Tiki returns “Search”, “Search General Settings”, etc | Disabled |
| Referer search highlighting | When a user lands on a Tiki page from a search engine, Tiki highlights the search words they used. Its similar to using Tiki’s search facility. | Enabled |
| File thumbnail preview | Have a preview of attachments in search results | Disabled |
| Forum name search | When listing forums | Disabled |
| Forum content search | When listing forums | Enabled |
| Topic content search | Enabled | |
| Unified search for forums and file galleries | Enabled |
| Option | Description | Default |
|---|---|---|
| Unified search index | Enables searching for content at the site using a Tiki-managed index. It's recommended to set a cron job to periodically rebuild the search index. |
Enabled |
| Search statistics | Enables administrators to collect and view statistics on search activity. | Disabled |
| Users available in search results | Users available within search results. Content related to the user will be included in the index. None | All | Public |
None |
| Incremental Index Update | Update the index incrementally as the site content is modified. This may lead to lower performance and accuracy than processing the index on a periodic basis. |
Enabled |
| Search index rebuild memory limit | Temporarily adjust the memory limit to use during Search index rebuild. Depending on the volume of data, some large operations require more memory. Increasing it locally, per operation, allows to keep a lower memory limit globally. Keep in mind that memory usage is still limited to what is available on the server. for example: 256M |
None |
| Search index rebuild time limit | Temporarily adjust the time limit to use during Search index rebuild. Depending on the volume of data, some requests may take longer. Increase the time limit locally to resolve the issue. Use reasonable values. for example: 30 |
None |
| Unified search engine | Search engine used to index the content of this Tiki site. Some engines are more suitable for larger sites, but require additional software on the server. MySQL full-text search | Elasticsearch | Manticore Search |
MySQL full-text search |
| Elasticsearch URL | URL of any node in the cluster | http://localhost:9200 |
| Elasticsearch Authentication | When Elasticsearch security module is enabled, user authentication can be set up here. No Authentication | Basic Authentication |
None |
| Elasticsearch User | HTTP basic authentication user to be sent with each request to Elasticsearch. | None |
| Elasticsearch Password | HTTP basic authentication password to be sent with each request to Elasticsearch. | None |
| Elasticsearch index prefix | The prefix that is used for all indexes for this installation in Elasticsearch | Tiki_ |
| Elasticsearch current index | A new index is created upon rebuilding, and the old one is then destroyed. This setting enables seeing the currently active index. Do not change this value unless you know what you are doing. |
None |
| Elasticsearch field limit per index | The maximum number of fields per search index in Elasticsearch version 5.x and above | 1000 fields |
| Relation types to index within object. | Comma-separated relation types for which objects should be indexed in their related objects. Elasticsearch needed |
None |
| Use MySQL Full-Text Search (fallback) | In case of Elasticsearch is active and unavailable, use MySQL Full-Text Search as fallback | Disabled |
| MySQL use short field names | Due to frm file constraints, number of search fields that one index can hold is usually limited to about 1500. This can be exceeded if you have numerous tracker fields. Enabling this option will try to shorten the field names internally that should allow you to use 300-500 more fields. Switching this option requires full index rebuild. | Disabled |
| Restore old MySQL indexes during reindex | If set, after the reindex is performed, old table MySQL indexes will be restored to the reindex related table. | Disabled |
| Manticore URL | URL of the Manticore search server | http://127.0.0.1 |
| Manticore HTTP(S) Port | Port number for the HTTP(S) interface. | 9308 |
| Manticore MySQL Port | Port number for the MySQL interface. | 9306 |
| Manticore index prefix | The prefix that is used for all indexes for this installation in Manticore | Tiki_ |
| Manticore current index | A new set of indexes are created upon rebuilding, and the old ones are then destroyed. This setting enables seeing the currently active index prefix. Do not change this value unless you know what you are doing. |
None |
| Morphology processing | Advanced morphology preprocessors to apply in the Manticore index. See Manticore manual for possible values. | None |
| Manticore indexed full-text fields | Manticore has a hard-limit of 256 full-text indexed fields per index. If your installation has more, some will be indexed as string attributes and perform the slower regex search. You can add a comma-separated list of fields to always index as full-text here. | title,contents |
| Default Boolean Operator | Use OR or AND as the default search operator. AND | OR |
AND |
| Excluded categories | List of category IDs to exclude from the search index | None |
| Excluded plugins | List of plugin names to exclude while indexing | None |
| Additional plugins searchable by default | List of plugin names that are required to additionnaly include while indexing. Example: fancytable,list,trackerlist,trackerfilter | None |
| Don't index non searchable fields | Indexing will skip adding all tracker fields that are not marked as "searchable". This will free index space but also make it impossible to use those fields in search index queries. | Disabled |
| Index forum replies together with initial post | Forum replies will be indexed together with the initial post as a single document instead of being indexed separately. | Enabled |
| Tokenize version numbers | Tokenize version number strings so that major versions are found when sub-versions are mentioned. For example, searching for 2.7 would return documents containing 2.7.4, but not 1.2.7. | Disabled |
| Tokenize CamelCase words | Consider the components of camel-case words as separate tokens, allowing them to be searched individually. Conflicts with Tokenize Version Numbers. |
Disabled |
| Possessive Stemmer | The possessive stemmer removes possessives (trailing "'s") from words before indexing them. | Enabled |
| Field weights | Allow the field weights to be set that apply when ranking pages in the search results. The weight is applied only when the field is in the query. To nullify the value of a field, use an insignificant amount, but not 0, which may lead to unexpected behaviors such as stripping of results. (Add these fields to the "Default content fields" preference below for it to have an effect in a global "content" search) One field per line, field_name:5.3 |
title:2.5 allowed_groups:0.... |
| Default content fields | All of the content is aggregated in the contents field. For custom weighting to apply, the fields must be included in the query. This option allows other fields to be included in the default content search. | contents, title |
| Cache per user and query for Tiki built-in search | Time in minutes a user has a same query cached applied to Tiki built-in search interface only. | 0 minutes |
| Cache result-specific formatted results | Formatted search results such as the ones used in the List plugin will be cached to prevent process-intensive reformatting on each page load. The cache is result-specific. Every different result will generate a separate cache. This could quickly build up a large cache directory. It is recommended to clear Tiki caches often (e.g. once per week) via an automated job if you use this feature. |
Disabled |
| Cache individual search formatters | List of search formatters whose output will be cached. This is separate to the result-specific formatted results cache. | None |
| LIST plugin cache default on | If selected, LIST plugins will be cached by default unless turned off at plugin level. | Disabled |
| LIST plugin cache default expiry | Default number of minutes for LIST plugin cache expiry. | 30 |
| Format to use for tracker field keys | Choose between field IDs and permanent names for the tracker indexing Permanent name | Field ID (backward compatibility mode with Tiki 7 and 8) |
Permanent name |
| Index Tracker Category names | Index the names and paths of category field values Requires reindexing |
Disabled |
| Use unified search in category admin | Use unified search to find objects to add to categories. This limits the types of objects available to those included in the unified index. | Disabled |
| Automatically trim Elasticsearch results on date-sorted query | Automatically trim Elasticsearch results in unified search if the query is sorted by modification or creation date. | Disabled |
| Show error on missing field | When using List plugin to specify certain fields, especially tracker fields, this check helps ensure their names were entered correctly. | Enabled |
| Stop Word List | Words excluded from the search index, because they can be too frequent and produce unwanted results. MySQL full-text search has its own list of stop words configured in the server. |
a, an, and, are, as, at, be... |
| Search index outdated | Number of days to consider the search index outdated | 2 days |
| Automatic indexing of file content | Uses command line tools to extract the information from the files based on their MIME types. | Disabled |
| Automatic indexing of emails stored as files | Parses message/rfc822 types of files (aka eml files) and stores individual email headers and content in search index. | Disabled |
| Asynchronous indexing | Enabled | |
| MySQL full-text search | Also known as 'Basic Search'. This search uses the MySQL full-text search feature. The indexation is continuously updated. | Disabled |
| Referer search highlighting | When a user lands on a Tiki page from a search engine, Tiki highlights the search words they used. Its similar to using Tiki’s search facility. | Enabled |
| Ignore individual object permissions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results. |
Disabled |
| Ignore category viewing restrictions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results |
Disabled |
| Autocomplete page names | Automatically complete page names as the user starts typing. For example the user types the start of the wiki page name “Sear” and Tiki returns “Search”, “Search General Settings”, etc | Disabled |
| File thumbnail preview | Have a preview of attachments in search results | Disabled |
| Forum name search | When listing forums | Disabled |
| Forum content search | When listing forums | Enabled |
| Topic content search | Enabled | |
| Unified search for forums and file galleries | Enabled |
| Option | Description | Default |
|---|---|---|
| Unified search index | Enables searching for content at the site using a Tiki-managed index. It's recommended to set a cron job to periodically rebuild the search index. |
Enabled |
| Search statistics | Enables administrators to collect and view statistics on search activity. | Disabled |
| Users available in search results | Users available within search results. Content related to the user will be included in the index. None | All | Public |
None |
| Incremental Index Update | Update the index incrementally as the site content is modified. This may lead to lower performance and accuracy than processing the index on a periodic basis. |
Enabled |
| Search index rebuild memory limit | Temporarily adjust the memory limit to use during Search index rebuild. Depending on the volume of data, some large operations require more memory. Increasing it locally, per operation, allows to keep a lower memory limit globally. Keep in mind that memory usage is still limited to what is available on the server. for example: 256M |
None |
| Search index rebuild time limit | Temporarily adjust the time limit to use during Search index rebuild. Depending on the volume of data, some requests may take longer. Increase the time limit locally to resolve the issue. Use reasonable values. for example: 30 |
None |
| Unified search engine | Search engine used to index the content of this Tiki site. Some engines are more suitable for larger sites, but require additional software on the server. MySQL full-text search | Elasticsearch |
MySQL full-text search |
| Elasticsearch URL | URL of any node in the cluster | http://localhost:9200 |
| Elasticsearch Authentication | When Elasticsearch security module is enabled, user authentication can be set up here. No Authentication | Basic Authentication |
None |
| Elasticsearch User | HTTP basic authentication user to be sent with each request to Elasticsearch. | None |
| Elasticsearch Password | HTTP basic authentication password to be sent with each request to Elasticsearch. | None |
| Elasticsearch index prefix | The prefix that is used for all indexes for this installation in Elasticsearch | Tiki_ |
| Elasticsearch current index | A new index is created upon rebuilding, and the old one is then destroyed. This setting enables seeing the currently active index. Do not change this value unless you know what you are doing. |
None |
| Elasticsearch field limit per index | The maximum number of fields per search index in Elasticsearch version 5.x and above | 1000 fields |
| Relation types to index within object. | Comma-separated relation types for which objects should be indexed in their related objects. Elasticsearch needed |
None |
| Use MySQL Full-Text Search (fallback) | In case of Elasticsearch is active and unavailable, use MySQL Full-Text Search as fallback | Disabled |
| MySQL use short field names | Due to frm file constraints, number of search fields that one index can hold is usually limited to about 1500. This can be exceeded if you have numerous tracker fields. Enabling this option will try to shorten the field names internally that should allow you to use 300-500 more fields. Switching this option requires full index rebuild. | Disabled |
| Restore old MySQL indexes during reindex | If set, after the reindex is performed, old table MySQL indexes will be restored to the reindex related table. | Disabled |
| Default Boolean Operator | Use OR or AND as the default search operator. AND | OR |
AND |
| Excluded categories | List of category IDs to exclude from the search index | None |
| Excluded plugins | List of plugin names to exclude while indexing | None |
| Exclude all plugins | Indexing will exclude all plugins. | Enabled |
| Except included plugins | List of plugin names that are required to be included while indexing, when excluding all. Example: fancytable,list,trackerlist,trackerfilter | None |
| Don't index non searchable fields | Indexing will skip adding all tracker fields that are not marked as "searchable". This will free index space but also make it impossible to use those fields in search index queries. | Disabled |
| Index forum replies together with initial post | Forum replies will be indexed together with the initial post as a single document instead of being indexed separately. | Enabled |
| Tokenize version numbers | Tokenize version number strings so that major versions are found when sub-versions are mentioned. For example, searching for 2.7 would return documents containing 2.7.4, but not 1.2.7. | Disabled |
| Tokenize CamelCase words | Consider the components of camel-case words as separate tokens, allowing them to be searched individually. Conflicts with Tokenize Version Numbers. |
Disabled |
| Possessive Stemmer | The possessive stemmer removes possessives (trailing "'s") from words before indexing them. | Enabled |
| Field weights | Allow the field weights to be set that apply when ranking pages in the search results. The weight is applied only when the field is in the query. To nullify the value of a field, use an insignificant amount, but not 0, which may lead to unexpected behaviors such as stripping of results. (Add these fields to the "Default content fields" preference below for it to have an effect in a global "content" search) One field per line, field_name:5.3 |
title:2.5 allowed_groups:0.... |
| Default content fields | All of the content is aggregated in the contents field. For custom weighting to apply, the fields must be included in the query. This option allows other fields to be included in the default content search. | contents, title |
| Cache per user and query for Tiki built-in search | Time in minutes a user has a same query cached applied to Tiki built-in search interface only. | 0 minutes |
| Cache result-specific formatted results | Formatted search results such as the ones used in the List plugin will be cached to prevent process-intensive reformatting on each page load. The cache is result-specific. Every different result will generate a separate cache. This could quickly build up a large cache directory. It is recommended to clear Tiki caches often (e.g. once per week) via an automated job if you use this feature. |
Disabled |
| Cache individual search formatters | List of search formatters whose output will be cached. This is separate to the result-specific formatted results cache. | None |
| LIST plugin cache default on | If selected, LIST plugins will be cached by default unless turned off at plugin level. | Disabled |
| LIST plugin cache default expiry | Default number of minutes for LIST plugin cache expiry. | 30 |
| Format to use for tracker field keys | Choose between field IDs and permanent names for the tracker indexing Permanent name | Field ID (backward compatibility mode with Tiki 7 and 8) |
Permanent name |
| Index Tracker Category names | Index the names and paths of category field values Requires reindexing |
Disabled |
| Use unified search in category admin | Use unified search to find objects to add to categories. This limits the types of objects available to those included in the unified index. | Disabled |
| Automatically trim Elasticsearch results on date-sorted query | Automatically trim Elasticsearch results in unified search if the query is sorted by modification or creation date. | Disabled |
| Show error on missing field | When using List plugin to specify certain fields, especially tracker fields, this check helps ensure their names were entered correctly. | Enabled |
| Stop Word List | Words excluded from the search index, because they can be too frequent and produce unwanted results. MySQL full-text search has its own list of stop words configured in the server. |
a, an, and, are, as, at, be... |
| Search index outdated | Number of days to consider the search index outdated | 2 days |
| Automatic indexing of file content | Uses command line tools to extract the information from the files based on their MIME types. | Disabled |
| Automatic indexing of emails stored as files | Parses message/rfc822 types of files (aka eml files) and stores individual email headers and content in search index. | Disabled |
| Asynchronous indexing | Enabled | |
| MySQL full-text search | Also known as 'Basic Search'. This search uses the MySQL full-text search feature. The indexation is continuously updated. | Disabled |
| Referer search highlighting | When a user lands on a Tiki page from a search engine, Tiki highlights the search words they used. Its similar to using Tiki’s search facility. | Enabled |
| Ignore individual object permissions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results. |
Disabled |
| Ignore category viewing restrictions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results |
Disabled |
| Autocomplete page names | Automatically complete page names as the user starts typing. For example the user types the start of the wiki page name “Sear” and Tiki returns “Search”, “Search General Settings”, etc | Disabled |
| File thumbnail preview | Have a preview of attachments in search results | Disabled |
| Forum name search | When listing forums | Disabled |
| Forum content search | When listing forums | Enabled |
| Topic content search | Enabled | |
| Unified search for forums and file galleries | Enabled |
| Option | Description | Default |
|---|---|---|
| Unified search index | Enables searching for content at the site using a Tiki-managed index. It's recommended to set a cron job to periodically rebuild the search index. |
Enabled |
| Search statistics | Enables administrators to collect and view statistics on search activity. | Disabled |
| Users available in search results | Users available within search results. Content related to the user will be included in the index. None | All | Public |
None |
| Incremental Index Update | Update the index incrementally as the site content is modified. This may lead to lower performance and accuracy than processing the index on a periodic basis. |
Enabled |
| Search index rebuild memory limit | Temporarily adjust the memory limit to use during Search index rebuild. Depending on the volume of data, some large operations require more memory. Increasing it locally, per operation, allows to keep a lower memory limit globally. Keep in mind that memory usage is still limited to what is available on the server. for example: 256M |
None |
| Search index rebuild time limit | Temporarily adjust the time limit to use during Search index rebuild. Depending on the volume of data, some requests may take longer. Increase the time limit locally to resolve the issue. Use reasonable values. for example: 30 |
None |
| Unified search engine | Search engine used to index the content of this Tiki site. Some engines are more suitable for larger sites, but require additional software on the server. Lucene (PHP implementation) - Deprecated | MySQL full-text search | Elasticsearch |
MySQL full-text search |
| Highlight results snippets | Highlight the result snippet based on the search query to improve user experience. May impact performance |
Disabled |
| Lucene index location | Path to the location of the Lucene search index. The index must be on a local filesystem with enough space to contain the volume of the database. | temp/unified-index |
| Lucene maximum results | Maximum number of results to produce. Results beyond these will need a more refined query to be reached. | 200 results |
| Lucene maximum result-set limit | This is used when calculating result scores and sort order which can lead to "out of memory" errors on large data sets. The default of 1000 is safe with the PHP memory_limit set to 128M Maximum size of result set to consider. 0 for unlimited |
1000 result sets |
| Lucene terms per query limit | Maximum number of terms to be generated. This value may need to be increased in the case of "Terms per query limit is reached" espescially with wildcard, range and fuzzy searches. | 1024 terms |
| Lucene maximum number of buffered documents | Number of documents required before the buffered in-memory documents are written into a new segment. | 10 documents |
| Lucene maximum number of merge documents | Largest number of documents merged by addDocument(). Small values (for example, less than 10,000) are best for interactive indexing, as this limits the length of pauses while indexing to a few seconds. Larger values are best for batched indexing and speedier searches. Small values (for example, less than 10,000) are best for interactive indexing. Use 0 for the Lucene default, which is practically infinite. |
0 merge documents |
| Lucene merge factor | How often segment indices are merged by addDocument(). With smaller values, less RAM is used while indexing, and searches on unoptimized indices are faster, but indexing speed is slower. With larger values, more RAM is used during indexing, and while searches on unoptimized indices are slower, indexing is faster. Large values (greater than 10) are best for batch index creation, and smaller values (less than 10) for indices that are interactively maintained. |
10 |
| Elasticsearch URL | URL of any node in the cluster | http://localhost:9200 |
| Elasticsearch index prefix | The prefix that is used for all indexes for this installation in Elasticsearch | Tiki_ |
| Elasticsearch current index | A new index is created upon rebuilding, and the old one is then destroyed. This setting enables seeing the currently active index. Do not change this value unless you know what you are doing. |
None |
| Elasticsearch field limit per index | The maximum number of fields per search index in Elasticsearch version 5.x and above | 1000 fields |
| Relation types to index within object. | Comma-separated relation types for which objects should be indexed in their related objects. Elasticsearch needed |
None |
| Use MySQL Full-Text Search (fallback) | In case of Elasticsearch is active and unavailable, use MySQL Full-Text Search as fallback | Disabled |
| MySQL use short field names | Due to frm file constraints, number of search fields that one index can hold is usually limited to about 1500. This can be exceeded if you have numerous tracker fields. Enabling this option will try to shorten the field names internally that should allow you to use 300-500 more fields. Switching this option requires full index rebuild. | Disabled |
| Default Boolean Operator | Use OR or AND as the default search operator. AND | OR |
AND |
| Excluded categories | List of category IDs to exclude from the search index | None |
| Excluded plugins | List of plugin names to exclude while indexing | None |
| Exclude all plugins | Indexing will exclude all plugins. | Enabled |
| Except included plugins | List of plugin names that are required to be included while indexing, when excluding all. Example: fancytable,list,trackerlist,trackerfilter | None |
| Don't index non searchable fields | Indexing will skip adding all tracker fields that are not marked as "searchable". This will free index space but also make it impossible to use those fields in search index queries. | Disabled |
| Index forum replies together with initial post | Forum replies will be indexed together with the initial post as a single document instead of being indexed separately. | Enabled |
| Tokenize version numbers | Tokenize version number strings so that major versions are found when sub-versions are mentioned. For example, searching for 2.7 would return documents containing 2.7.4, but not 1.2.7. | Disabled |
| Tokenize CamelCase words | Consider the components of camel-case words as separate tokens, allowing them to be searched individually. Conflicts with Tokenize Version Numbers. |
Disabled |
| Possessive Stemmer | The possessive stemmer removes possessives (trailing "'s") from words before indexing them. | Enabled |
| Field weights | Allow the field weights to be set that apply when ranking pages in the search results. The weight is applied only when the field is in the query. To nullify the value of a field, use an insignificant amount, but not 0, which may lead to unexpected behaviors such as stripping of results. (Add these fields to the "Default content fields" preference below for it to have an effect in a global "content" search) One field per line, field_name:5.3 |
title:2.5 allowed_groups:0.... |
| Default content fields | All of the content is aggregated in the contents field. For custom weighting to apply, the fields must be included in the query. This option allows other fields to be included in the default content search. | contents, title |
| Cache per user and query for Tiki built-in search | Time in minutes a user has a same query cached applied to Tiki built-in search interface only. | 0 minutes |
| Cache result-specific formatted results | Formatted search results such as the ones used in the List plugin will be cached to prevent process-intensive reformatting on each page load. The cache is result-specific. Every different result will generate a separate cache. This could quickly build up a large cache directory. It is recommended to clear Tiki caches often (e.g. once per week) via an automated job if you use this feature. |
Disabled |
| Cache individual search formatters | List of search formatters whose output will be cached. This is separate to the result-specific formatted results cache. | None |
| LIST plugin cache default on | If selected, LIST plugins will be cached by default unless turned off at plugin level. | Disabled |
| LIST plugin cache default expiry | Default number of minutes for LIST plugin cache expiry. | 30 |
| Format to use for tracker field keys | Choose between field IDs and permanent names for the tracker indexing Permanent name | Field ID (backward compatibility mode with Tiki 7 and 8) |
Permanent name |
| Index Tracker Category names | Index the names and paths of category field values Requires reindexing |
Disabled |
| Use unified search in category admin | Use unified search to find objects to add to categories. This limits the types of objects available to those included in the unified index. | Disabled |
| Automatically trim Elasticsearch results on date-sorted query | Automatically trim Elasticsearch results in unified search if the query is sorted by modification or creation date. | Disabled |
| Show error on missing field | When using List plugin to specify certain fields, especially tracker fields, this check helps ensure their names were entered correctly. | Enabled |
| Stop Word List | Words excluded from the search index, because they can be too frequent and produce unwanted results. MySQL full-text search has its own list of stop words configured in the server. |
a, an, and, are, as, at, be... |
| Search index outdated | Number of days to consider the search index outdated | 2 days |
| Automatic indexing of file content | Uses command line tools to extract the information from the files based on their MIME types. | Disabled |
| Asynchronous indexing | Enabled | |
| MySQL full-text search | Also known as 'Basic Search'. This search uses the MySQL full-text search feature. The indexation is continuously updated. | Disabled |
| Referer search highlighting | When a user lands on a Tiki page from a search engine, Tiki highlights the search words they used. Its similar to using Tiki’s search facility. | Enabled |
| Ignore individual object permissions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results. |
Disabled |
| Ignore category viewing restrictions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results |
Disabled |
| Autocomplete page names | Automatically complete page names as the user starts typing. For example the user types the start of the wiki page name “Sear” and Tiki returns “Search”, “Search General Settings”, etc | Disabled |
| File thumbnail preview | Have a preview of attachments in search results | Disabled |
| Forum name search | When listing forums | Disabled |
| Forum content search | When listing forums | Enabled |
| Topic content search | Enabled | |
| Tiki-indexed search | Disabled | |
| Use database (full-text) search | Disabled |
Search - Stored search
| Option | Description | Default |
|---|---|---|
| Stored searches | Allow users to store search queries. | Disabled |
| Option | Description | Default |
|---|---|---|
| Stored searches | Allow users to store search queries. | Disabled |
| Option | Description | Default |
|---|---|---|
| Stored searches | Allow users to store search queries. | Disabled |
| Option | Description | Default |
|---|---|---|
| Stored searches | Allow users to store search queries. | Disabled |
| Option | Description | Default |
|---|---|---|
| Stored searches | Allow users to store search queries. | Disabled |
Security - General security
| Option | Description | Default |
|---|---|---|
| Smarty security | Enable/Disable Smarty security. If checked, you can then define allowed and disabled modifiers and tags(functions, blocks and filters) that should be or not accesible to the template. You should leave this on unless you know what you are doing. |
Enabled |
| Allowed Smarty tags | This is a list of allowed tags. It's the list of (registered / autoloaded) function-, block and filter plugins that should be accessible to the template. If empty, no restriction by allowed_tags. This may be needed for custom templates. Use "," to separate values There may be security implications. Make sure you know what you are doing. |
None |
| Disabled Smarty tags | This is a list of disabled tags. It's the list of (registered / autoloaded) function-, block and filter plugins that may not be accessible to the template. If empty, no restriction by disabled_tags. This may be needed for custom templates. Use "," to separate values There may be security implications. Make sure you know what you are doing. |
None |
| Allowed Smarty modifiers | This is the list of allowed modifier plugins. It's the array of (registered / autoloaded) modifiers that should be accessible to the template. If this array is non-empty, only the herein listed modifiers may be used. This is a whitelist. If empty, no restriction by allowed_modifiers. This may be needed for custom templates. Use "," to separate values There may be security implications. Make sure you know what you are doing. |
None |
| Disabled Smarty modifiers | This is a list of disabled modifier plugins. It's the list of (registered / autoloaded) modifiers that may not be accessible to the template. If empty, no restriction by disabled_modifiers. This may be needed for custom templates. Use "," to separate values There may be security implications. Make sure you know what you are doing. |
None |
| Extra Smarty directories | Make additional directories available as Smarty directories. This may be needed for custom icons (clear temp/cache after changing). There may be security implications. Make sure you know what you are doing. |
None |
| HTML purifier | HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results. If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results. |
Enabled |
| Output should be HTML purified | This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results. If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature. |
Disabled |
| Protect all sessions with HTTPS | Always redirect to HTTPS to prevent a session hijack through network sniffing. Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site |
Disabled |
| HTTP Basic Authentication | Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials. Disable | SSL Only (Recommended) | Always |
Disable |
| Prevent common passwords | For improved security, prevent users from creating blacklisted passwords. Use default blacklist or create custom blacklists through Control Panel -> Log in -> Password Blacklist. | Disabled |
| Require admin users to enter their password for some critical actions | User password will be required for critical operations that can compromise the system security or stability, like adding users to the admin group | Enabled |
| Allow sending newsletters through external clients | Generate mailto links using the recipients as the BCC list. This will expose the list if email addresses to all users allowed to send newsletters. |
Disabled |
| Validate uploaded file content | Do not trust user input and open the files to verify their content. | Enabled |
| Allow the tiki_p_trust_input permission. | Bypass user input filtering. Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users. |
Disabled |
| Quick permission assignment | Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. | Enabled |
| Verify HTTPS certificates of remote servers | When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA) Do not enforce verification | Enforce verification |
None |
| Use CURL for HTTP connections | Use CURL instead of sockets for server to server HTTP connections, when sockets are not available. | Disabled |
| Debugger console | A popup console with a list of all PHP and Smarty variables used to render the current webpage. It can be viewed by clicking 'Quick Administration->Smarty debug window' or by appending ?show_smarty_debug=1 or &show_smarty_debug=1 to the page URL. You may also execute SQL, watch vars and perform a number of other functions. Only viewable by admins Not suitable for production use. |
Disabled |
| Tiki template viewing | May not be functional in Tiki 14+ | Disabled |
| Edit templates | May not be functional in Tiki 14+ | Disabled |
| Edit CSS | Edit CSS files directly in the browser. May not be functional in Tiki 14+ |
Disabled |
| User encryption | Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored. Enable personal, secure storage of sensitive data such as passwords This is an experimental feature. Using it may cause loss of the encrypted data. |
Disabled |
| Password domains | Securely store extra user passwords and other user specific data for other "domains", or just for yourself | Userkey |
| Use short lived CSRF tokens | CSRF tokens generated will be valid for one use only and will have a limited life span Changing the CSRF tokens to be short lived may lead to an increase of errors on submitting information when the users take a long time to finish an operation or the session is lost. |
Disabled |
| Security timeout | Sets the expiration of CSRF tickets and related forms. The session_lifetime preference is used for the default, if set, otherwise the session.gc_maxlifetime php.ini setting is used, subject to a default maximum of four hours in any case.Minimum value is 30 seconds to avoid blocking everyone from being able to make any changes, including to this setting |
14400 seconds |
| Require confirmation of an action if a possible CSRF is detected | Disabled | |
| HTTP header x-frame options | The x-frame-options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> | Enabled |
| Header value | DENY | SAMEORIGIN | DENY |
| HTTP header x-xss-protection | The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers | Enabled |
| Header value | 0 | 1 | 1;mode=block | 1;mode=block |
| HTTP header x-content-type-options | The x-content-type-options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. | Enabled |
| HTTP header content-security-policy | The Content-Security-Policy header allows web site administrators to control resources the user agent is allowed to load for a given page. | Enabled |
| Header value | For example, to allow your Tiki to appear in an iframe on example.com set this value to frame-ancestors https://example.com/ |
None |
| HTTP header strict-transport-security | The Strict-Transport-Security header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. | Enabled |
| Header value | None | |
| HTTP header public-key-pins | The public-key-pins header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. | Enabled |
| Header value | None |
| Option | Description | Default |
|---|---|---|
| Smarty security | Enable/Disable Smarty security. If checked, you can then define allowed and disabled modifiers and tags(functions, blocks and filters) that should be or not accesible to the template. You should leave this on unless you know what you are doing. |
Enabled |
| Allowed Smarty tags | This is a list of allowed tags. It's the list of (registered / autoloaded) function-, block and filter plugins that should be accessible to the template. If empty, no restriction by allowed_tags. This may be needed for custom templates. Use "," to separate values There may be security implications. Make sure you know what you are doing. |
None |
| Disabled Smarty tags | This is a list of disabled tags. It's the list of (registered / autoloaded) function-, block and filter plugins that may not be accessible to the template. If empty, no restriction by disabled_tags. This may be needed for custom templates. Use "," to separate values There may be security implications. Make sure you know what you are doing. |
None |
| Allowed Smarty modifiers | This is the list of allowed modifier plugins. It's the array of (registered / autoloaded) modifiers that should be accessible to the template. If this array is non-empty, only the herein listed modifiers may be used. This is a whitelist. If empty, no restriction by allowed_modifiers. This may be needed for custom templates. Use "," to separate values There may be security implications. Make sure you know what you are doing. |
None |
| Disabled Smarty modifiers | This is a list of disabled modifier plugins. It's the list of (registered / autoloaded) modifiers that may not be accessible to the template. If empty, no restriction by disabled_modifiers. This may be needed for custom templates. Use "," to separate values There may be security implications. Make sure you know what you are doing. |
None |
| Extra Smarty directories | Make additional directories available as Smarty directories. This may be needed for custom icons (clear temp/cache after changing). There may be security implications. Make sure you know what you are doing. |
None |
| HTML purifier | HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results. If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results. |
Enabled |
| Output should be HTML purified | This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results. If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature. |
Disabled |
| Protect all sessions with HTTPS | Always redirect to HTTPS to prevent a session hijack through network sniffing. Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site |
Disabled |
| HTTP Basic Authentication | Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials. Disable | SSL Only (Recommended) | Always |
Disable |
| Prevent common passwords | For improved security, prevent users from creating blacklisted passwords. Use default blacklist or create custom blacklists through Control Panel -> Log in -> Password Blacklist. | Disabled |
| Require admin users to enter their password for some critical actions | User password will be required for critical operations that can compromise the system security or stability, like adding users to the admin group | Enabled |
| Allow sending newsletters through external clients | Generate mailto links using the recipients as the BCC list. This will expose the list if email addresses to all users allowed to send newsletters. |
Disabled |
| Validate uploaded file content | Do not trust user input and open the files to verify their content. | Enabled |
| Allow the tiki_p_trust_input permission. | Bypass user input filtering. Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users. |
Disabled |
| Quick permission assignment | Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. | Enabled |
| Verify HTTPS certificates of remote servers | When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA) Do not enforce verification | Enforce verification |
None |
| Use CURL for HTTP connections | Use CURL instead of sockets for server to server HTTP connections, when sockets are not available. | Disabled |
| Debugger console | A popup console with a list of all PHP and Smarty variables used to render the current webpage. It can be viewed by clicking 'Quick Administration->Smarty debug window' or by appending ?show_smarty_debug=1 or &show_smarty_debug=1 to the page URL. You may also execute SQL, watch vars and perform a number of other functions. Only viewable by admins Not suitable for production use. |
Disabled |
| Tiki template viewing | May not be functional in Tiki 14+ | Disabled |
| Edit templates | May not be functional in Tiki 14+ | Disabled |
| Edit CSS | Edit CSS files directly in the browser. May not be functional in Tiki 14+ |
Disabled |
| User encryption | Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored. Enable personal, secure storage of sensitive data such as passwords This is an experimental feature. Using it may cause loss of the encrypted data. |
Disabled |
| Password domains | Securely store extra user passwords and other user specific data for other "domains", or just for yourself | Userkey |
| Use short lived CSRF tokens | CSRF tokens generated will be valid for one use only and will have a limited life span Changing the CSRF tokens to be short lived may lead to an increase of errors on submitting information when the users take a long time to finish an operation or the session is lost. |
Disabled |
| Security timeout | Sets the expiration of CSRF tickets and related forms. The session_lifetime preference is used for the default, if set, otherwise the session.gc_maxlifetime php.ini setting is used, subject to a default maximum of four hours in any case.Minimum value is 30 seconds to avoid blocking everyone from being able to make any changes, including to this setting |
14400 seconds |
| Require confirmation of an action if a possible CSRF is detected | Disabled | |
| HTTP header x-frame options | The x-frame-options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> | Enabled |
| Header value | DENY | SAMEORIGIN | DENY |
| HTTP header x-xss-protection | The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers | Enabled |
| Header value | 0 | 1 | 1;mode=block | 1;mode=block |
| HTTP header x-content-type-options | The x-content-type-options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. | Enabled |
| HTTP header content-security-policy | The Content-Security-Policy header allows web site administrators to control resources the user agent is allowed to load for a given page. | Enabled |
| Header value | For example, to allow your Tiki to appear in an iframe on example.com set this value to frame-ancestors https://example.com/ |
None |
| HTTP header strict-transport-security | The Strict-Transport-Security header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. | Enabled |
| Header value | None | |
| HTTP header public-key-pins | The public-key-pins header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. | Enabled |
| Header value | None |
| Option | Description | Default |
|---|---|---|
| Smarty security | Do not allow PHP code in Smarty templates. You should leave this on unless you know what you are doing. |
Enabled |
| Extra Smarty functions | Make additional PHP functions available as Smarty functions. This may be needed for custom templates. There may be security implications. Make sure you know what you are doing. |
None |
| Extra Smarty modifiers | Make additional PHP functions available as Smarty modifiers. This may be needed for custom templates. There may be security implications. Make sure you know what you are doing. |
None |
| Extra Smarty directories | Make additional directories available as Smarty directories. This may be needed for custom icons (clear temp/cache after changing). There may be security implications. Make sure you know what you are doing. |
None |
| HTML purifier | HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results. If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results. |
Enabled |
| Output should be HTML purified | This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results. If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature. |
Disabled |
| Protect all sessions with HTTPS | Always redirect to HTTPS to prevent a session hijack through network sniffing. Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site |
Disabled |
| HTTP Basic Authentication | Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials. Disable | SSL Only (Recommended) | Always |
Disable |
| Prevent common passwords | For improved security, prevent users from creating blacklisted passwords. Use default blacklist or create custom blacklists through Control Panel -> Log in -> Password Blacklist. | Disabled |
| Require admin users to enter their password for some critical actions | User password will be required for critical operations that can compromise the system security or stability, like adding users to the admin group | Enabled |
| Allow sending newsletters through external clients | Generate mailto links using the recipients as the BCC list. This will expose the list if email addresses to all users allowed to send newsletters. |
Disabled |
| Validate uploaded file content | Do not trust user input and open the files to verify their content. | Enabled |
| Allow the tiki_p_trust_input permission. | Bypass user input filtering. Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users. |
Disabled |
| Quick permission assignment | Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. | Disabled |
| Verify HTTPS certificates of remote servers | When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA) Do not enforce verification | Enforce verification |
None |
| Use CURL for HTTP connections | Use CURL instead of sockets for server to server HTTP connections, when sockets are not available. | Disabled |
| Debugger console | A popup console with a list of all PHP and Smarty variables used to render the current webpage. It can be viewed by clicking 'Quick Administration->Smarty debug window' or by appending ?show_smarty_debug=1 or &show_smarty_debug=1 to the page URL. You may also execute SQL, watch vars and perform a number of other functions. Only viewable by admins Not suitable for production use. |
Disabled |
| Tiki template viewing | May not be functional in Tiki 14+ | Disabled |
| Edit templates | May not be functional in Tiki 14+ | Disabled |
| Edit CSS | Edit CSS files directly in the browser. May not be functional in Tiki 14+ |
Disabled |
| User encryption | Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored. Enable personal, secure storage of sensitive data such as passwords This is an experimental feature. Using it may cause loss of the encrypted data. |
Disabled |
| Password domains | Securely store extra user passwords and other user specific data for other "domains", or just for yourself | Userkey |
| Use short lived CSRF tokens | CSRF tokens generated will be valid for one use only and will have a limited life span Changing the CSRF tokens to be short lived may lead to an increase of errors on submitting information when the users take a long time to finish an operation or the session is lost. |
Disabled |
| Security timeout | Sets the expiration of CSRF tickets and related forms. The session_lifetime preference is used for the default, if set, otherwise the session.gc_maxlifetime php.ini setting is used, subject to a default maximum of four hours in any case.Minimum value is 30 seconds to avoid blocking everyone from being able to make any changes, including to this setting |
14400 seconds |
| Require confirmation of an action if a possible CSRF is detected | Disabled | |
| HTTP header x-frame options | The x-frame-options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> | Enabled |
| Header value | DENY | SAMEORIGIN | DENY |
| HTTP header x-xss-protection | The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers | Enabled |
| Header value | 0 | 1 | 1;mode=block | 1;mode=block |
| HTTP header x-content-type-options | The x-content-type-options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. | Enabled |
| HTTP header content-security-policy | The Content-Security-Policy header allows web site administrators to control resources the user agent is allowed to load for a given page. | Enabled |
| Header value | For example, to allow your Tiki to appear in an iframe on example.com set this value to frame-ancestors https://example.com/ |
None |
| HTTP header strict-transport-security | The Strict-Transport-Security header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. | Enabled |
| Header value | None | |
| HTTP header public-key-pins | The public-key-pins header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. | Enabled |
| Header value | None |
| Option | Description | Default |
|---|---|---|
| Smarty security | Do not allow PHP code in Smarty templates. You should leave this on unless you know what you are doing. |
Enabled |
| Extra Smarty functions | Make additional PHP functions available as Smarty functions. This may be needed for custom templates. There may be security implications. Make sure you know what you are doing. |
None |
| Extra Smarty modifiers | Make additional PHP functions available as Smarty modifiers. This may be needed for custom templates. There may be security implications. Make sure you know what you are doing. |
None |
| Extra Smarty directories | Make additional directories available as Smarty directories. This may be needed for custom icons (clear temp/cache after changing). There may be security implications. Make sure you know what you are doing. |
None |
| HTML purifier | HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results. If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results. |
Enabled |
| Output should be HTML purified | This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results. If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature. |
Disabled |
| Protect all sessions with HTTPS | Always redirect to HTTPS to prevent a session hijack through network sniffing. Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site |
Disabled |
| HTTP Basic Authentication | Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials. Disable | SSL Only (Recommended) | Always |
Disable |
| Prevent common passwords | For improved security, prevent users from creating blacklisted passwords. Use default blacklist or create custom blacklists through Control Panel -> Log in -> Password Blacklist. | Disabled |
| Require admin users to enter their password for some critical actions | User password will be required for critical operations that can compromise the system security or stability, like adding users to the admin group | Enabled |
| Allow sending newsletters through external clients | Generate mailto links using the recipients as the BCC list. This will expose the list if email addresses to all users allowed to send newsletters. |
Disabled |
| Validate uploaded file content | Do not trust user input and open the files to verify their content. | Enabled |
| Allow the tiki_p_trust_input permission. | Bypass user input filtering. Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users. |
Disabled |
| Quick permission assignment | Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. | Disabled |
| Verify HTTPS certificates of remote servers | When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA) Do not enforce verification | Enforce verification |
None |
| Use CURL for HTTP connections | Use CURL instead of sockets for server to server HTTP connections, when sockets are not available. | Disabled |
| Debugger console | A popup console with a list of all PHP and Smarty variables used to render the current webpage. It can be viewed by clicking 'Quick Administration->Smarty debug window' or by appending ?show_smarty_debug=1 or &show_smarty_debug=1 to the page URL. You may also execute SQL, watch vars and perform a number of other functions. Only viewable by admins Not suitable for production use. |
Disabled |
| Tiki template viewing | May not be functional in Tiki 14+ | Disabled |
| Edit templates | May not be functional in Tiki 14+ | Disabled |
| Edit CSS | Edit CSS files directly in the browser. May not be functional in Tiki 14+ |
Disabled |
| User encryption | Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored. Enable personal, secure storage of sensitive data such as passwords This is an experimental feature. Using it may cause loss of the encrypted data. |
Disabled |
| Password domains | Securely store extra user passwords and other user specific data for other "domains", or just for yourself | Userkey |
| Use short lived CSRF tokens | CSRF tokens generated will be valid for one use only and will have a limited life span Changing the CSRF tokens to be short lived may lead to an increase of errors on submitting information when the users take a long time to finish an operation or the session is lost. |
Disabled |
| Security timeout | Sets the expiration of CSRF tickets and related forms. The session_lifetime preference is used for the default, if set, otherwise the session.gc_maxlifetime php.ini setting is used, subject to a default maximum of four hours in any case.Minimum value is 30 seconds to avoid blocking everyone from being able to make any changes, including to this setting |
14400 seconds |
| Require confirmation of an action if a possible CSRF is detected | Disabled | |
| HTTP header x-frame options | The x-frame-options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> | Disabled |
| Header value | DENY | SAMEORIGIN | DENY |
| HTTP header x-xss-protection | The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers | Disabled |
| Header value | 0 | 1 | 1;mode=block | 1;mode=block |
| HTTP header x-content-type-options | The x-content-type-options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. | Disabled |
| HTTP header content-security-policy | The Content-Security-Policy header allows web site administrators to control resources the user agent is allowed to load for a given page. | Disabled |
| Header value | For example, to allow your Tiki to appear in an iframe on example.com set this value to frame-ancestors https://example.com/ |
None |
| HTTP header strict-transport-security | The Strict-Transport-Security header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. | Disabled |
| Header value | None | |
| HTTP header public-key-pins | The public-key-pins header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. | Disabled |
| Header value | None |
| Option | Description | Default |
|---|---|---|
| Smarty security | Do not allow PHP code in Smarty templates. You should leave this on unless you know what you are doing. |
Enabled |
| Extra Smarty functions | Make additional PHP functions available as Smarty functions. This may be needed for custom templates. There may be security implications. Make sure you know what you are doing. |
None |
| Extra Smarty modifiers | Make additional PHP functions available as Smarty modifiers. This may be needed for custom templates. There may be security implications. Make sure you know what you are doing. |
None |
| Extra Smarty directories | Make additional directories available as Smarty directories. This may be needed for custom icons (clear temp/cache after changing). There may be security implications. Make sure you know what you are doing. |
None |
| HTML purifier | HTML Purifier is a standards-compliant HTML filter library written in PHP and integrated in Tiki. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also ensure that your documents are standards-compliant. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results. If you use HTML in your wiki page and it gets stripped out or rewritten, make sure your HTML is valid, or de-activate this feature. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax and produce unwanted results. |
Enabled |
| Output should be HTML purified | This activates HTML Purifier on wiki content and other outputs, to filter out potential security problems like XSS code. Keep in mind that HTML Purifier is not HTML5 compatible and may rewrite HTML5 syntax, producing unwanted results. If you are trying to use HTML in your pages and it gets stripped out, you should make sure your HTML is valid or de-activate this feature. |
Disabled |
| Protect all sessions with HTTPS | Always redirect to HTTPS to prevent a session hijack through network sniffing. Warning: activate only if SSL is already configured; otherwise, all users including admin will be locked out of the site |
Disabled |
| HTTP Basic Authentication | Check credentials from HTTP Basic Authentication, which is useful to allow webservices to use credentials. Disable | SSL Only (Recommended) | Always |
Disable |
| Prevent common passwords | For improved security, prevent users from creating blacklisted passwords. Use default blacklist or create custom blacklists through Control Panel -> Log in -> Password Blacklist. | Disabled |
| Allow sending newsletters through external clients | Generate mailto links using the recipients as the BCC list. This will expose the list if email addresses to all users allowed to send newsletters. |
Disabled |
| Validate uploaded file content | Do not trust user input and open the files to verify their content. | Enabled |
| Allow the tiki_p_trust_input permission. | Bypass user input filtering. Note: all permissions are granted to the Admins group including this one, so if you enable this you may expose your site to XSS (Cross Site Scripting) attacks for admin users. |
Disabled |
| Quick permission assignment | Quickperms are an interface in addition to the normal edit-permissions page, for quick assignment of permissions for a page or other object. | Disabled |
| Verify HTTPS certificates of remote servers | When set to enforce, the server will fail to connect over HTTPS to a remote server that do not have a SSL certificate that is valid and can be verified against the local list of Certificate Authority (CA) Do not enforce verification | Enforce verification |
None |
| Use CURL for HTTP connections | Use CURL instead of sockets for server to server HTTP connections, when sockets are not available. | Disabled |
| Debugger console | A popup console with a list of all PHP and Smarty variables used to render the current webpage. It can be viewed by clicking 'Quick Administration->Smarty debug window' or by appending ?show_smarty_debug=1 or &show_smarty_debug=1 to the page URL. You may also execute SQL, watch vars and perform a number of other functions. Only viewable by admins Not suitable for production use. |
Disabled |
| Tiki template viewing | May not be functional in Tiki 14+ | Disabled |
| Edit templates | May not be functional in Tiki 14+ | Disabled |
| Edit CSS | Edit CSS files directly in the browser. May not be functional in Tiki 14+ |
Disabled |
| User encryption | Tiki user encryption enables a personal, secure storage of sensitive data, e.g. password. Only the user can see the data. No decryption passwords are stored. Enable personal, secure storage of sensitive data such as passwords This is an experimental feature. Using it may cause loss of the encrypted data. |
Disabled |
| Password domains | Securely store extra user passwords and other user specific data for other "domains", or just for yourself | Userkey |
| Security timeout | Sets the expiration of CSRF tickets and related forms. The session_lifetime preference is used for the default, if set, otherwise the session.gc_maxlifetime php.ini setting is used, subject to a default maximum of four hours in any case.Minimum value is 30 seconds to avoid blocking everyone from being able to make any changes, including to this setting |
14400 seconds |
| Require confirmation of an action if a possible CSRF is detected | Disabled | |
| HTTP header x-frame options | The x-frame-options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> | Disabled |
| Header value | DENY | SAMEORIGIN | DENY |
| HTTP header x-xss-protection | The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers | Disabled |
| Header value | 0 | 1 | 1;mode=block | 1;mode=block |
| HTTP header x-content-type-options | The x-content-type-options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. | Disabled |
| HTTP header content-security-policy | The Content-Security-Policy header allows web site administrators to control resources the user agent is allowed to load for a given page. | Disabled |
| Header value | For example, to allow your Tiki to appear in an iframe on example.com set this value to frame-ancestors https://example.com/ |
None |
| HTTP header strict-transport-security | The Strict-Transport-Security header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. | Disabled |
| Header value | None | |
| HTTP header public-key-pins | The public-key-pins header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. | Disabled |
| Header value | None |
Security - OpenPGP
| Option | Description | Default |
|---|---|---|
| PGP/MIME encrypted email messaging | Use OpenPGP PGP/MIME-compliant encrypted email messaging. All email messaging, notifications, and newsletters are sent as PGP/MIME-encrypted messages, signed with the signer key, and are completely opaque to outsiders. All user accounts need to be properly configured in a gnupg keyring with public keys associated with their tiki-account-related email addresses. Enable only if gpg, keyring, and tikiaccounts are properly configured for PGP/MIME functionality. NOTE: Requires that all accounts have their public-keys configured into gnupg-keyring, so do not allow non-administred registrations (or e.g. non-configured emails for newsletters etc) to site if this feature turned on. |
Disabled |
| Path to gnupg keyring | Full directory path to gnupg keyring (default /home/www/.gnupg/ ). The directory, related subdirectories (e.g., a subdirectory 'signer'), and files must have proper permissions for tiki to access/read the directories/files, and create/delete necessary temporary workfiles there. | /home/www/.gnupg/ |
| Path to gpg executable | Full path to gpg executable. | /usr/bin/gpg |
| Read signer pass phrase from prefs or from a file | Read GnuPG signer pass phrase from preferences or from a file (default is 'file' ). With file option, configure other preference for the full path including the filename of the file containing the GnuPG signer private-key pass phrase. preferences | file |
Preferences |
| Signer pass phrase | GnuPG signer private-key passphrase. Define pass phrase either here or in a signer pass phrase file. leave empty if read from file |
None |
| Path to signer pass phrase filename | Full path including the filename of the file containing the GnuPG signer private-key pass phrase. The directory and file must have proper permissions for tiki to access/read the signer pass phrase file. | /home/www/.gnupg/signer/sig... |
| Option | Description | Default |
|---|---|---|
| PGP/MIME encrypted email messaging | Use OpenPGP PGP/MIME-compliant encrypted email messaging. All email messaging, notifications, and newsletters are sent as PGP/MIME-encrypted messages, signed with the signer key, and are completely opaque to outsiders. All user accounts need to be properly configured in a gnupg keyring with public keys associated with their tiki-account-related email addresses. Enable only if gpg, keyring, and tikiaccounts are properly configured for PGP/MIME functionality. NOTE: Requires that all accounts have their public-keys configured into gnupg-keyring, so do not allow non-administred registrations (or e.g. non-configured emails for newsletters etc) to site if this feature turned on. |
Disabled |
| Path to gnupg keyring | Full directory path to gnupg keyring (default /home/www/.gnupg/ ). The directory, related subdirectories (e.g., a subdirectory 'signer'), and files must have proper permissions for tiki to access/read the directories/files, and create/delete necessary temporary workfiles there. | /home/www/.gnupg/ |
| Path to gpg executable | Full path to gpg executable. | /usr/bin/gpg |
| Read signer pass phrase from prefs or from a file | Read GnuPG signer pass phrase from preferences or from a file (default is 'file' ). With file option, configure other preference for the full path including the filename of the file containing the GnuPG signer private-key pass phrase. preferences | file |
Preferences |
| Signer pass phrase | GnuPG signer private-key passphrase. Define pass phrase either here or in a signer pass phrase file. leave empty if read from file |
None |
| Path to signer pass phrase filename | Full path including the filename of the file containing the GnuPG signer private-key pass phrase. The directory and file must have proper permissions for tiki to access/read the signer pass phrase file. | /home/www/.gnupg/signer/sig... |
| Option | Description | Default |
|---|---|---|
| PGP/MIME encrypted email messaging | Use OpenPGP PGP/MIME-compliant encrypted email messaging. All email messaging, notifications, and newsletters are sent as PGP/MIME-encrypted messages, signed with the signer key, and are completely opaque to outsiders. All user accounts need to be properly configured in a gnupg keyring with public keys associated with their tiki-account-related email addresses. Enable only if gpg, keyring, and tikiaccounts are properly configured for PGP/MIME functionality. NOTE: Requires that all accounts have their public-keys configured into gnupg-keyring, so do not allow non-administred registrations (or e.g. non-configured emails for newsletters etc) to site if this feature turned on. |
Disabled |
| Path to gnupg keyring | Full directory path to gnupg keyring (default /home/www/.gnupg/ ). The directory, related subdirectories (e.g., a subdirectory 'signer'), and files must have proper permissions for tiki to access/read the directories/files, and create/delete necessary temporary workfiles there. | /home/www/.gnupg/ |
| Path to gpg executable | Full path to gpg executable. | /usr/bin/gpg |
| Read signer pass phrase from prefs or from a file | Read GnuPG signer pass phrase from preferences or from a file (default is 'file' ). With file option, configure other preference for the full path including the filename of the file containing the GnuPG signer private-key pass phrase. preferences | file |
Preferences |
| Signer pass phrase | GnuPG signer private-key passphrase. Define pass phrase either here or in a signer pass phrase file. leave empty if read from file |
None |
| Path to signer pass phrase filename | Full path including the filename of the file containing the GnuPG signer private-key pass phrase. The directory and file must have proper permissions for tiki to access/read the signer pass phrase file. | /home/www/.gnupg/signer/sig... |
| Option | Description | Default |
|---|---|---|
| PGP/MIME encrypted email messaging | Use OpenPGP PGP/MIME-compliant encrypted email messaging. All email messaging, notifications, and newsletters are sent as PGP/MIME-encrypted messages, signed with the signer key, and are completely opaque to outsiders. All user accounts need to be properly configured in a gnupg keyring with public keys associated with their tiki-account-related email addresses. Enable only if gpg, keyring, and tikiaccounts are properly configured for PGP/MIME functionality. NOTE: Requires that all accounts have their public-keys configured into gnupg-keyring, so do not allow non-administred registrations (or e.g. non-configured emails for newsletters etc) to site if this feature turned on. |
Disabled |
| Path to gnupg keyring | Full directory path to gnupg keyring (default /home/www/.gnupg/ ). The directory, related subdirectories (e.g., a subdirectory 'signer'), and files must have proper permissions for tiki to access/read the directories/files, and create/delete necessary temporary workfiles there. | /home/www/.gnupg/ |
| Path to gpg executable | Full path to gpg executable. | /usr/bin/gpg |
| Read signer pass phrase from prefs or from a file | Read GnuPG signer pass phrase from preferences or from a file (default is 'file' ). With file option, configure other preference for the full path including the filename of the file containing the GnuPG signer private-key pass phrase. preferences | file |
Preferences |
| Signer pass phrase | GnuPG signer private-key passphrase. Define pass phrase either here or in a signer pass phrase file. leave empty if read from file |
None |
| Path to signer pass phrase filename | Full path including the filename of the file containing the GnuPG signer private-key pass phrase. The directory and file must have proper permissions for tiki to access/read the signer pass phrase file. | /home/www/.gnupg/signer/sig... |
| Option | Description | Default |
|---|---|---|
| PGP/MIME encrypted email messaging | Use OpenPGP PGP/MIME-compliant encrypted email messaging. All email messaging, notifications, and newsletters are sent as PGP/MIME-encrypted messages, signed with the signer key, and are completely opaque to outsiders. All user accounts need to be properly configured in a gnupg keyring with public keys associated with their tiki-account-related email addresses. Enable only if gpg, keyring, and tikiaccounts are properly configured for PGP/MIME functionality. NOTE: Requires that all accounts have their public-keys configured into gnupg-keyring, so do not allow non-administred registrations (or e.g. non-configured emails for newsletters etc) to site if this feature turned on. |
Disabled |
| Path to gnupg keyring | Full directory path to gnupg keyring (default /home/www/.gnupg/ ). The directory, related subdirectories (e.g., a subdirectory 'signer'), and files must have proper permissions for tiki to access/read the directories/files, and create/delete necessary temporary workfiles there. | /home/www/.gnupg/ |
| Path to gpg executable | Full path to gpg executable. | /usr/bin/gpg |
| Read signer pass phrase from prefs or from a file | Read GnuPG signer pass phrase from preferences or from a file (default is 'file' ). With file option, configure other preference for the full path including the filename of the file containing the GnuPG signer private-key pass phrase. preferences | file |
Preferences |
| Signer pass phrase | GnuPG signer private-key passphrase. Define pass phrase either here or in a signer pass phrase file. leave empty if read from file |
None |
| Path to signer pass phrase filename | Full path including the filename of the file containing the GnuPG signer private-key pass phrase. The directory and file must have proper permissions for tiki to access/read the signer pass phrase file. | /home/www/.gnupg/signer/sig... |
Security - Search results
| Option | Description | Default |
|---|---|---|
| Ignore category viewing restrictions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results |
Disabled |
| Ignore individual object permissions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results. |
Disabled |
| Option | Description | Default |
|---|---|---|
| Ignore category viewing restrictions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results |
Disabled |
| Ignore individual object permissions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results. |
Disabled |
| Option | Description | Default |
|---|---|---|
| Ignore category viewing restrictions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results |
Disabled |
| Ignore individual object permissions | Display items the user may not be entitled to view in search results. Will improve performance, but may show forbidden results. |
Disabled |
Security - Site access
| Option | Description | Default |
|---|---|---|
| Close site | Use this setting to "close" the Tiki site (such as for maintenance). Users attempting to access the site will see only a log-in form. Only users with specific permission will be allowed to log in. Use the Message to display to specify the message that visitors will see when attempting to access your site. | Disabled |
| Title | Coming soon | |
| Message | Site is closed for maintena... | |
| Close site when server load is above the threshold | Use this option to "close" the Tiki site when the server load exceeds a specific threshold. Only users with specific permission will be allowed to log in. Use "Maximum average server load threshold in the last minute" to define the maximum server load. Use the "Message to display" to specify the message that visitors will see when attempting to access the site. | Disabled |
| Maximum average server load threshold in the last minute | 3 | |
| Site Busy Title | Server too busy | |
| Site Busy Message | Server is currently too bus... | |
| Enable intrusion detection system | An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. | Disabled |
| Custom rules file | temp/ids_custom_rules.json | |
| Intrusion detection system mode | Define IDS operation mode, log only, or log and block with impact over a given threshold. Log only | Log and block requests |
Log only |
| Intrusion detection system threshold | Define IDS threshold, when configured in "Log and block requests" more. | 0 |
| Log to file | ids.log | |
| Log to database | Disabled |
| Option | Description | Default |
|---|---|---|
| Close site | Use this setting to "close" the Tiki site (such as for maintenance). Users attempting to access the site will see only a log-in form. Only users with specific permission will be allowed to log in. Use the Message to display to specify the message that visitors will see when attempting to access your site. | Disabled |
| Title | Coming soon | |
| Message | Site is closed for maintena... | |
| Close site when server load is above the threshold | Use this option to "close" the Tiki site when the server load exceeds a specific threshold. Only users with specific permission will be allowed to log in. Use "Maximum average server load threshold in the last minute" to define the maximum server load. Use the "Message to display" to specify the message that visitors will see when attempting to access the site. | Disabled |
| Maximum average server load threshold in the last minute | 3 | |
| Site Busy Title | Server too busy | |
| Site Busy Message | Server is currently too bus... | |
| Enable intrusion detection system | An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. | Disabled |
| Custom rules file | temp/ids_custom_rules.json | |
| Intrusion detection system mode | Define IDS operation mode, log only, or log and block with impact over a given threshold. Log only | Log and block requests |
Log only |
| Intrusion detection system threshold | Define IDS threshold, when configured in "Log and block requests" more. | 0 |
| Log to file | ids.log | |
| Log to database | Disabled |
| Option | Description | Default |
|---|---|---|
| Close site | Use this setting to "close" the Tiki site (such as for maintenance). Users attempting to access the site will see only a log-in form. Only users with specific permission will be allowed to log in. Use the Message to display to specify the message that visitors will see when attempting to access your site. | Disabled |
| Title | Coming soon | |
| Message | Site is closed for maintena... | |
| Close site when server load is above the threshold | Use this option to "close" the Tiki site when the server load exceeds a specific threshold. Only users with specific permission will be allowed to log in. Use "Maximum average server load threshold in the last minute" to define the maximum server load. Use the "Message to display" to specify the message that visitors will see when attempting to access the site. | Disabled |
| Maximum average server load threshold in the last minute | 3 | |
| Site Busy Title | Server too busy | |
| Site Busy Message | Server is currently too bus... | |
| Enable intrusion detection system | An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. | Disabled |
| Custom rules file | temp/ids_custom_rules.json | |
| Intrusion detection system mode | Define IDS operation mode, log only, or log and block with impact over a given threshold. Log only | Log and block requests |
Log only |
| Intrusion detection system threshold | Define IDS threshold, when configured in "Log and block requests" more. | 0 |
| Log to file | ids.log | |
| Log to database | Disabled |
| Option | Description | Default |
|---|---|---|
| Close site | Use this setting to \"close\" the Tiki site (such as for maintenance). Users attempting to access the site will see only a log-in form. Only users with specific permission will be allowed to log in. Use the Message to display to specify the message that visitors will see when attempting to access your site. | Disabled |
| Title | Coming soon | |
| Message | Site is closed for maintena... | |
| Close site when server load is above the threshold | Use this option to "close" the Tiki site when the server load exceeds a specific threshold. Only users with specific permission will be allowed to log in. Use "Maximum average server load threshold in the last minute" to define the maximum server load. Use the "Message to display" to specify the message that visitors will see when attempting to access the site. | Disabled |
| Maximum average server load threshold in the last minute | 3 | |
| Site Busy Title | Server too busy | |
| Site Busy Message | Server is currently too bus... | |
| Enable intrusion detection system | An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. | Disabled |
| Custom rules file | temp/ids_custom_rules.json | |
| Intrusion detection system mode | Define IDS operation mode, log only, or log and block with impact over a given threshold. Log only | Log and block requests |
Log only |
| Intrusion detection system threshold | Define IDS threshold, when configured in "Log and block requests" more. | 0 |
| Log to file | ids.log | |
| Log to database | Disabled |
| Option | Description | Default |
|---|---|---|
| Close site | Use this setting to \"close\" the Tiki site (such as for maintenance). Users attempting to access the site will see only a log-in form. Only users with specific permission will be allowed to log in. Use the Message to display to specify the message that visitors will see when attempting to access your site. | Disabled |
| Title | Coming soon | |
| Message | Site is closed for maintena... | |
| Close site when server load is above the threshold | Use this option to "close" the Tiki site when the server load exceeds a specific threshold. Only users with specific permission will be allowed to log in. Use "Maximum average server load threshold in the last minute" to define the maximum server load. Use the "Message to display" to specify the message that visitors will see when attempting to access the site. | Disabled |
| Maximum average server load threshold in the last minute | 3 | |
| Site Busy Title | Server too busy | |
| Site Busy Message | Server is currently too bus... | |
| Enable intrusion detection system | An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. | Disabled |
| Custom rules file | temp/ids_custom_rules.json | |
| Intrusion detection system mode | Define IDS operation mode, log only, or log and block with impact over a given threshold. Log only | Log and block requests |
Log only |
| Intrusion detection system threshold | Define IDS threshold, when configured in "Log and block requests" more. | 0 |
| Log to file | ids.log | |
| Log to database | Disabled |
Security - Spam protection
| Option | Description | Default |
|---|---|---|
| Anonymous editors must enter anti-bot code (CAPTCHA) | Use CAPTCHA to ensure that anonymous input is from a person. | Enabled |
| CAPTCHA image word length | Number of characters the CAPTCHA will display. | 6 characters |
| CAPTCHA image width | Width of the CAPTCHA image in pixels. | 180 pixels |
| CAPTCHA image noise | Level of noise of the CAPTCHA image. Choose a smaller number for less noise and easier reading. |
100 |
| Use reCAPTCHA | Use reCAPTCHA, a specialized captcha service, instead of default CAPTCHA You will need to register at http://www.google.com/recaptcha |
Disabled |
| Site key | reCAPTCHA public key obtained after registering. | None |
| Secret key | reCAPTCHA private key obtained after registering. | None |
| reCAPTCHA theme | Choose a theme for the reCAPTCHA widget. Clean | Black Glass | Red | White |
Clean |
| Version | reCAPTCHA version. 1.0 | 2.0 | 3.0 |
2.0 |
| CAPTCHA questions | Requires anonymous visitors to enter the answer to a question. | Disabled |
| CAPTCHA questions and answers | Add some simple questions that only humans should be able to answer, in the format: "Question?: Answer" with one per line One question per line with a colon separating the question and answer |
None |
| Protect email against spam | Protect email against spam submissions. Protect email against spam currently does not operate in pages edited in WYSIWYG mode (Tiki 6.1) |
Enabled |
| Add "rel=nofollow" to external links | Nofollow is used to instruct some search engines that the link should not influence the ranking of the link's target in the search engine's index. | Disabled |
| Banning system | Deny access to specific users based on username, IP, and date/time range. | Disabled |
| Ban usernames and emails | Banning rules use both email and username to match rules. | Disabled |
| Attempts number | Number of attempts user is allowed to login incorrectly before banning them from further attempts. | 5 |
| Banning system | The duration of the incorrect login attempts ban in minutes. | 30 |
| Comments moderation | Enables the admin or other authorized group member to validate comments before they are visible | Disabled |
| Use Akismet to filter comments | Prevent comment spam by using the Akismet service to determine if the comment is spam. If comment moderation is enabled, Akismet will indicate if the comment is to be moderated or not. If there is no comment moderation, the comment will be rejected if considered to be spam. | Disabled |
| Akismet API Key | Key required for the Akismet comment spam prevention. Obtain this key by registering your site at http://akismet.com |
None |
| Filter spam for registered users | Activate spam filtering for registered users as well. Useful if your site allows anyone to register without screening. | Disabled |
| Require passcode to register | Users must enter an alphanumeric code to register. The site administrator must inform users of this code. This is to restrict registration to invited users. | Disabled |
| Passcode | Alphanumeric code required to complete the registration | None |
| Show passcode on registration form | Displays the required passcode on the registration form. This is helpful for legitimate users who want to register while making it difficult for automated robots because the passcode is unique for each site and because it is displayed in JavaScript. | Disabled |
| Registration page key | To register, users need to go to, for example: tiki-register.php?key=yourregistrationkeyvalue Key required to be on included the URL to access the registration page (if not empty). |
None |
| Option | Description | Default |
|---|---|---|
| Anonymous editors must enter anti-bot code (CAPTCHA) | Use CAPTCHA to ensure that anonymous input is from a person. | Enabled |
| CAPTCHA image word length | Number of characters the CAPTCHA will display. | 6 characters |
| CAPTCHA image width | Width of the CAPTCHA image in pixels. | 180 pixels |
| CAPTCHA image noise | Level of noise of the CAPTCHA image. Choose a smaller number for less noise and easier reading. |
100 |
| Use reCAPTCHA | Use reCAPTCHA, a specialized captcha service, instead of default CAPTCHA You will need to register at http://www.google.com/recaptcha |
Disabled |
| Site key | reCAPTCHA public key obtained after registering. | None |
| Secret key | reCAPTCHA private key obtained after registering. | None |
| reCAPTCHA theme | Choose a theme for the reCAPTCHA widget. Clean | Black Glass | Red | White |
Clean |
| Version | reCAPTCHA version. 1.0 | 2.0 | 3.0 |
2.0 |
| CAPTCHA questions | Requires anonymous visitors to enter the answer to a question. | Disabled |
| CAPTCHA questions and answers | Add some simple questions that only humans should be able to answer, in the format: "Question?: Answer" with one per line One question per line with a colon separating the question and answer |
None |
| Protect email against spam | Protect email against spam submissions. Protect email against spam currently does not operate in pages edited in WYSIWYG mode (Tiki 6.1) |
Enabled |
| Add "rel=nofollow" to external links | Nofollow is used to instruct some search engines that the link should not influence the ranking of the link's target in the search engine's index. | Disabled |
| Banning system | Deny access to specific users based on username, IP, and date/time range. | Disabled |
| Ban usernames and emails | Banning rules use both email and username to match rules. | Disabled |
| Attempts number | Number of attempts user is allowed to login incorrectly before banning them from further attempts. | 5 |
| Banning system | The duration of the incorrect login attempts ban in minutes. | 30 |
| Comments moderation | Enables the admin or other authorized group member to validate comments before they are visible | Disabled |
| Use Akismet to filter comments | Prevent comment spam by using the Akismet service to determine if the comment is spam. If comment moderation is enabled, Akismet will indicate if the comment is to be moderated or not. If there is no comment moderation, the comment will be rejected if considered to be spam. | Disabled |
| Akismet API Key | Key required for the Akismet comment spam prevention. Obtain this key by registering your site at http://akismet.com |
None |
| Filter spam for registered users | Activate spam filtering for registered users as well. Useful if your site allows anyone to register without screening. | Disabled |
| Require passcode to register | Users must enter an alphanumeric code to register. The site administrator must inform users of this code. This is to restrict registration to invited users. | Disabled |
| Passcode | Alphanumeric code required to complete the registration | None |
| Show passcode on registration form | Displays the required passcode on the registration form. This is helpful for legitimate users who want to register while making it difficult for automated robots because the passcode is unique for each site and because it is displayed in JavaScript. | Disabled |
| Registration page key | To register, users need to go to, for example: tiki-register.php?key=yourregistrationkeyvalue Key required to be on included the URL to access the registration page (if not empty). |
None |
| Option | Description | Default |
|---|---|---|
| Anonymous editors must enter anti-bot code (CAPTCHA) | Use CAPTCHA to ensure that anonymous input is from a person. | Enabled |
| CAPTCHA image word length | Number of characters the CAPTCHA will display. | 6 characters |
| CAPTCHA image width | Width of the CAPTCHA image in pixels. | 180 pixels |
| CAPTCHA image noise | Level of noise of the CAPTCHA image. Choose a smaller number for less noise and easier reading. |
100 |
| Use reCAPTCHA | Use reCAPTCHA, a specialized captcha service, instead of default CAPTCHA You will need to register at http://www.google.com/recaptcha |
Disabled |
| Site key | reCAPTCHA public key obtained after registering. | None |
| Secret key | reCAPTCHA private key obtained after registering. | None |
| reCAPTCHA theme | Choose a theme for the reCAPTCHA widget. Clean | Black Glass | Red | White |
Clean |
| Version | reCAPTCHA version. 1.0 | 2.0 | 3.0 |
2.0 |
| CAPTCHA questions | Requires anonymous visitors to enter the answer to a question. | Disabled |
| CAPTCHA questions and answers | Add some simple questions that only humans should be able to answer, in the format: "Question?: Answer" with one per line One question per line with a colon separating the question and answer |
None |
| Protect email against spam | Protect email against spam submissions. Protect email against spam currently does not operate in pages edited in WYSIWYG mode (Tiki 6.1) |
Enabled |
| Add "rel=nofollow" to external links | Nofollow is used to instruct some search engines that the link should not influence the ranking of the link's target in the search engine's index. | Disabled |
| Banning system | Deny access to specific users based on username, IP, and date/time range. | Disabled |
| Ban usernames and emails | Banning rules use both email and username to match rules. | Disabled |
| Attempts number | Number of attempts user is allowed to login incorrectly before banning them from further attempts. | 5 |
| Banning system | The duration of the incorrect login attempts ban in minutes. | 30 |
| Comments moderation | Enables the admin or other authorized group member to validate comments before they are visible | Disabled |
| Use Akismet to filter comments | Prevent comment spam by using the Akismet service to determine if the comment is spam. If comment moderation is enabled, Akismet will indicate if the comment is to be moderated or not. If there is no comment moderation, the comment will be rejected if considered to be spam. | Disabled |
| Akismet API Key | Key required for the Akismet comment spam prevention. Obtain this key by registering your site at http://akismet.com |
None |
| Filter spam for registered users | Activate spam filtering for registered users as well. Useful if your site allows anyone to register without screening. | Disabled |
| Require passcode to register | Users must enter an alphanumeric code to register. The site administrator must inform users of this code. This is to restrict registration to invited users. | Disabled |
| Passcode | Alphanumeric code required to complete the registration | None |
| Show passcode on registration form | Displays the required passcode on the registration form. This is helpful for legitimate users who want to register while making it difficult for automated robots because the passcode is unique for each site and because it is displayed in JavaScript. | Disabled |
| Registration page key | To register, users need to go to, for example: tiki-register.php?key=yourregistrationkeyvalue Key required to be on included the URL to access the registration page (if not empty). |
None |
| Option | Description | Default |
|---|---|---|
| Anonymous editors must enter anti-bot code (CAPTCHA) | Use CAPTCHA to ensure that anonymous input is from a person. | Enabled |
| CAPTCHA image word length | Number of characters the CAPTCHA will display. | 6 characters |
| CAPTCHA image width | Width of the CAPTCHA image in pixels. | 180 pixels |
| CAPTCHA image noise | Level of noise of the CAPTCHA image. Choose a smaller number for less noise and easier reading. |
100 |
| Use reCAPTCHA | Use reCAPTCHA, a specialized captcha service, instead of default CAPTCHA You will need to register at http://www.google.com/recaptcha |
Disabled |
| Site key | reCAPTCHA public key obtained after registering. | None |
| Secret key | reCAPTCHA private key obtained after registering. | None |
| reCAPTCHA theme | Choose a theme for the reCAPTCHA widget. Clean | Black Glass | Red | White |
Clean |
| Version | reCAPTCHA version. 1.0 | 2.0 | 3.0 |
2.0 |
| CAPTCHA questions | Requires anonymous visitors to enter the answer to a question. | Disabled |
| CAPTCHA questions and answers | Add some simple questions that only humans should be able to answer, in the format: "Question?: Answer" with one per line One question per line with a colon separating the question and answer |
None |
| Protect email against spam | Protect email against spam submissions. Protect email against spam currently does not operate in pages edited in WYSIWYG mode (Tiki 6.1) |
Enabled |
| Add "rel=nofollow" to external links | Nofollow is used to instruct some search engines that the link should not influence the ranking of the link's target in the search engine's index. | Disabled |
| Banning system | Deny access to specific users based on username, IP, and date/time range. | Disabled |
| Ban usernames and emails | Banning rules use both email and username to match rules. | Disabled |
| Comments moderation | Enables the admin or other authorized group member to validate comments before they are visible | Disabled |
| Use Akismet to filter comments | Prevent comment spam by using the Akismet service to determine if the comment is spam. If comment moderation is enabled, Akismet will indicate if the comment is to be moderated or not. If there is no comment moderation, the comment will be rejected if considered to be spam. | Disabled |
| Akismet API Key | Key required for the Akismet comment spam prevention. Obtain this key by registering your site at http://akismet.com |
None |
| Filter spam for registered users | Activate spam filtering for registered users as well. Useful if your site allows anyone to register without screening. | Disabled |
| Require passcode to register | Users must enter an alphanumeric code to register. The site administrator must inform users of this code. This is to restrict registration to invited users. | Disabled |
| Passcode | Alphanumeric code required to complete the registration | None |
| Show passcode on registration form | Displays the required passcode on the registration form. This is helpful for legitimate users who want to register while making it difficult for automated robots because the passcode is unique for each site and because it is displayed in JavaScript. | Disabled |
| Registration page key | To register, users need to go to, for example: tiki-register.php?key=yourregistrationkeyvalue Key required to be on included the URL to access the registration page (if not empty). |
None |
| Option | Description | Default |
|---|---|---|
| Anonymous editors must enter anti-bot code (CAPTCHA) | Use CAPTCHA to ensure that anonymous input is from a person. | Enabled |
| CAPTCHA image word length | Number of characters the CAPTCHA will display. | 6 characters |
| CAPTCHA image width | Width of the CAPTCHA image in pixels. | 180 pixels |
| CAPTCHA image noise | Level of noise of the CAPTCHA image. Choose a smaller number for less noise and easier reading. |
100 |
| Use reCAPTCHA | Use reCAPTCHA, a specialized captcha service, instead of default CAPTCHA You will need to register at http://www.google.com/recaptcha |
Disabled |
| Site key | reCAPTCHA public key obtained after registering. | None |
| Secret key | reCAPTCHA private key obtained after registering. | None |
| reCAPTCHA theme | Choose a theme for the reCAPTCHA widget. Clean | Black Glass | Red | White |
Clean |
| Version | reCAPTCHA version. 1.0 | 2.0 | 3.0 |
2.0 |
| CAPTCHA questions | Requires anonymous visitors to enter the answer to a question. | Disabled |
| CAPTCHA questions and answers | Add some simple questions that only humans should be able to answer, in the format: "Question?: Answer" with one per line One question per line with a colon separating the question and answer |
None |
| Protect email against spam | Protect email against spam submissions. Protect email against spam currently does not operate in pages edited in WYSIWYG mode (Tiki 6.1) |
Enabled |
| Add "rel=nofollow" to external links | Nofollow is used to instruct some search engines that the link should not influence the ranking of the link's target in the search engine's index. | Disabled |
| Banning system | Deny access to specific users based on username, IP, and date/time range. | Disabled |
| Attempts number | Number of attempts user is allowed to login incorrectly before banning them from further attempts. | 5 |
| Banning system | The duration of the incorrect login attempts ban in minutes. | 30 |
| Comments moderation | Enables the admin or other authorized group member to validate comments before they are visible | Disabled |
| Use Akismet to filter comments | Prevent comment spam by using the Akismet service to determine if the comment is spam. If comment moderation is enabled, Akismet will indicate if the comment is to be moderated or not. If there is no comment moderation, the comment will be rejected if considered to be spam. | Disabled |
| Akismet API Key | Key required for the Akismet comment spam prevention. Obtain this key by registering your site at http://akismet.com |
None |
| Filter spam for registered users | Activate spam filtering for registered users as well. Useful if your site allows anyone to register without screening. | Disabled |
| Require passcode to register | Users must enter an alphanumeric code to register. The site administrator must inform users of this code. This is to restrict registration to invited users. | Disabled |
| Passcode | Alphanumeric code required to complete the registration | None |
| Show passcode on registration form | Displays the required passcode on the registration form. This is helpful for legitimate users who want to register while making it difficult for automated robots because the passcode is unique for each site and because it is displayed in JavaScript. | Disabled |
| Registration page key | To register, users need to go to, for example: tiki-register.php?key=yourregistrationkeyvalue Key required to be on included the URL to access the registration page (if not empty). |
None |
Security - Tokens
| Option | Description | Default |
|---|---|---|
| Token access | With the presentation of a token, allow access to the content with elevated rights. The primary use of this authentication method is to grant temporary access to content to an external service. | Disabled |
| Token access default timeout | The default duration for which the generated tokens will be valid. | 604800 seconds |
| Token access default maximum hits | The default maximum number of times a token can be used before it expires. | 10 hits |
| Share access rights with friends when using Share | Allow users to share their access rights for the current page with a friend when sending the link by email, Twitter, or Facebook. The lifespan of the link is defined by the site. | Disabled |
| Do not delete temporary users when token is deleted/expired | Normally temporary users created (see tiki-adminusers.php) are deleted when their access token is deleted/expired. If turned on, this will keep those users around (and can be manually deleted later) but they will have no groups and therefore no perms | Disabled |
| Option | Description | Default |
|---|---|---|
| Token access | With the presentation of a token, allow access to the content with elevated rights. The primary use of this authentication method is to grant temporary access to content to an external service. | Disabled |
| Token access default timeout | The default duration for which the generated tokens will be valid. | 604800 seconds |
| Token access default maximum hits | The default maximum number of times a token can be used before it expires. | 10 hits |
| Share access rights with friends when using Share | Allow users to share their access rights for the current page with a friend when sending the link by email, Twitter, or Facebook. The lifespan of the link is defined by the site. | Disabled |
| Do not delete temporary users when token is deleted/expired | Normally temporary users created (see tiki-adminusers.php) are deleted when their access token is deleted/expired. If turned on, this will keep those users around (and can be manually deleted later) but they will have no groups and therefore no perms | Disabled |
| Option | Description | Default |
|---|---|---|
| Token access | With the presentation of a token, allow access to the content with elevated rights. The primary use of this authentication method is to grant temporary access to content to an external service. | Disabled |
| Token access default timeout | The default duration for which the generated tokens will be valid. | 604800 seconds |
| Token access default maximum hits | The default maximum number of times a token can be used before it expires. | 10 hits |
| Share access rights with friends when using Share | Allow users to share their access rights for the current page with a friend when sending the link by email, Twitter, or Facebook. The lifespan of the link is defined by the site. | Disabled |
| Do not delete temporary users when token is deleted/expired | Normally temporary users created (see tiki-adminusers.php) are deleted when their access token is deleted/expired. If turned on, this will keep those users around (and can be manually deleted later) but they will have no groups and therefore no perms | Disabled |
| Option | Description | Default |
|---|---|---|
| Token access | With the presentation of a token, allow access to the content with elevated rights. The primary use of this authentication method is to grant temporary access to content to an external service. | Disabled |
| Token access default timeout | The default duration for which the generated tokens will be valid. | 604800 seconds |
| Token access default maximum hits | The default maximum number of times a token can be used before it expires. | 10 hits |
| Share access rights with friends when using Share | Allow users to share their access rights for the current page with a friend when sending the link by email, Twitter, or Facebook. The lifespan of the link is defined by the site. | Disabled |
| Do not delete temporary users when token is deleted/expired | Normally temporary users created (see tiki-adminusers.php) are deleted when their access token is deleted/expired. If turned on, this will keep those users around (and can be manually deleted later) but they will have no groups and therefore no perms | Disabled |
| Option | Description | Default |
|---|---|---|
| Token access | With the presentation of a token, allow access to the content with elevated rights. The primary use of this authentication method is to grant temporary access to content to an external service. | Disabled |
| Token access default timeout | The default duration for which the generated tokens will be valid. | 604800 seconds |
| Token access default maximum hits | The default maximum number of times a token can be used before it expires. | 10 hits |
| Share access rights with friends when using Share | Allow users to share their access rights for the current page with a friend when sending the link by email, Twitter, or Facebook. The lifespan of the link is defined by the site. | Disabled |
| Do not delete temporary users when token is deleted/expired | Normally temporary users created (see tiki-adminusers.php) are deleted when their access token is deleted/expired. If turned on, this will keep those users around (and can be manually deleted later) but they will have no groups and therefore no perms | Disabled |
Security - SEFURL
| Option | Description | Default |
|---|---|---|
| Search engine friendly URL | If the site is using Apache, you can rename _htaccess as .htaccess to use short URLs. On IIS, rename web_config as web.config | Disabled |
| Canonical URL tag | Indicates to search engines which URL to use, to prevent duplicate listings | Enabled |
| HTTPS for user-specific links | When building notification emails, RSS feeds, the canonical URL or other externally available links, use HTTPS when the content applies to a specific user. HTTPS must be configured on the server. | Disabled |
| Canonical URL domain | If this is a testing site with duplicate content, you may want to put the real site domain here so search engines don't index the testing site. In complex perspective setups using multiple domains, you may want more control on which canonical domain is advertised. | None |
| Wiki URL scheme | Alter the SEFURL pattern for page names. Use the "View" action to regenerate your URLs after changing this setting. Replace spaces with dashes | Replace spaces with underscores | URL Encode (Tiki Classic) |
Replace spaces with dashes |
| Custom Routes | Custom routes allow the definition of URLs by the admin, that can be mapped to existing Tiki objects like pages and trackers. "Add BASE tag in the page HEAD" is required when you have "/" as part of the URL. | Enabled |
| Short URL | Provides the ability to create a short url, easy to share. | Disabled |
| Short URL base URL | The base URL that is used when generating short URLs, including the HTTP prefix, example: "http://www.example.com". By default will use the URL of the current website. | None |
| SEFURL postfilter | Do not enable this feature as most Tiki features output friendly URLs and this feature has high processor overhead. | Disabled |
| Max size of title in the search engine friendly URL (Tracker Items and Forum Threads) | Limit the number of characters in the tracker item or forum thread title. | 200 |
| Article title in SEFURL | The article title rather than article number can be displayed in the search engine friendly URL. | Enabled |
| Blog title in SEFURL | The blog title rather than blog number can be displayed in the search engine friendly URL. | Enabled |
| Display forum thread or forum post title in the search engine friendly URL | Enabled | |
| Tracker title in SEFURL | To display the title, you should disable `Rewrite tiki-view_tracker.php?itemId=yyy to Prefixyyy page` | Enabled |
| Rewrite tiki-view_tracker.php?itemId=yyy to Prefixyyy page | This redirection uses the wiki prefix alias feature | Disabled |
| Use Only ASCII in SEFURLs | Do not use accented characters in short (search engine friendly) URLs. | Disabled |
| URL Frgament format | Provides ability to change anchor format Set to "Complete" to change the encoding and allow anchors to contain other characters in addition to ASCII letters and digits. Strict | Complete |
Strict |
| URL Fragment Guesser | Scroll to the closest anchor when the one indicated in the URL is missing in a page. | Disabled |
| Option | Description | Default |
|---|---|---|
| Search engine friendly URL | If the site is using Apache, you can rename _htaccess as .htaccess to use short URLs. On IIS, rename web_config as web.config | Disabled |
| Canonical URL tag | Indicates to search engines which URL to use, to prevent duplicate listings | Enabled |
| HTTPS for user-specific links | When building notification emails, RSS feeds, the canonical URL or other externally available links, use HTTPS when the content applies to a specific user. HTTPS must be configured on the server. | Disabled |
| Canonical URL domain | If this is a testing site with duplicate content, you may want to put the real site domain here so search engines don't index the testing site. In complex perspective setups using multiple domains, you may want more control on which canonical domain is advertised. | None |
| Wiki URL scheme | Alter the SEFURL pattern for page names. Use the "View" action to regenerate your URLs after changing this setting. Replace spaces with dashes | Replace spaces with underscores | URL Encode (Tiki Classic) |
Replace spaces with dashes |
| Custom Routes | Custom routes allow the definition of URLs by the admin, that can be mapped to existing Tiki objects like pages and trackers. "Add BASE tag in the page HEAD" is required when you have "/" as part of the URL. | Enabled |
| Short URL | Provides the ability to create a short url, easy to share. | Disabled |
| Short URL base URL | The base URL that is used when generating short URLs, including the HTTP prefix, example: "http://www.example.com". By default will use the URL of the current website. | None |
| SEFURL postfilter | Do not enable this feature as most Tiki features output friendly URLs and this feature has high processor overhead. | Disabled |
| Max size of title in the search engine friendly URL (Tracker Items and Forum Threads) | Limit the number of characters in the tracker item or forum thread title. | 200 |
| Article title in SEFURL | The article title rather than article number can be displayed in the search engine friendly URL. | Enabled |
| Blog title in SEFURL | The blog title rather than blog number can be displayed in the search engine friendly URL. | Enabled |
| Display forum thread or forum post title in the search engine friendly URL | Enabled | |
| Tracker title in SEFURL | To display the title, you should disable `Rewrite tiki-view_tracker.php?itemId=yyy to Prefixyyy page` | Enabled |
| Rewrite tiki-view_tracker.php?itemId=yyy to Prefixyyy page | This redirection uses the wiki prefix alias feature | Disabled |
| Use Only ASCII in SEFURLs | Do not use accented characters in short (search engine friendly) URLs. | Disabled |
| URL Frgament format | Provides ability to change anchor format Set to "Complete" to change the encoding and allow anchors to contain other characters in addition to ASCII letters and digits. Strict | Complete |
Strict |
| URL Fragment Guesser | Scroll to the closest anchor when the one indicated in the URL is missing in a page. | Disabled |
| Option | Description | Default |
|---|---|---|
| Search engine friendly URL | If the site is using Apache, you can rename _htaccess as .htaccess to use short URLs. On IIS, rename web_config as web.config | Disabled |
| Canonical URL tag | Indicates to search engines which URL to use, to prevent duplicate listings | Enabled |
| HTTPS for user-specific links | When building notification emails, RSS feeds, the canonical URL or other externally available links, use HTTPS when the content applies to a specific user. HTTPS must be configured on the server. | Disabled |
| Canonical URL domain | If this is a testing site with duplicate content, you may want to put the real site domain here so search engines don't index the testing site. In complex perspective setups using multiple domains, you may want more control on which canonical domain is advertised. | None |
| Wiki URL scheme | Alter the SEFURL pattern for page names. Use the "View" action to regenerate your URLs after changing this setting. Replace spaces with dashes | Replace spaces with underscores | URL Encode (Tiki Classic) |
Replace spaces with dashes |
| Custom Routes | Custom routes allow the definition of URLs by the admin, that can be mapped to existing Tiki objects like pages and trackers. "Add BASE tag in the page HEAD" is required when you have "/" as part of the URL. | Disabled |
| Short URL | Provides the ability to create a short url, easy to share. | Disabled |
| Short URL base URL | The base URL that is used when generating short URLs, including the HTTP prefix, example: "http://www.example.com". By default will use the URL of the current website. | None |
| SEFURL postfilter | Do not enable this feature as most Tiki features output friendly URLs and this feature has high processor overhead. | Disabled |
| Max size of title in the search engine friendly URL (Tracker Items and Forum Threads) | Limit the number of characters in the tracker item or forum thread title. | 200 |
| Article title in SEFURL | The article title rather than article number can be displayed in the search engine friendly URL. | Enabled |
| Blog title in SEFURL | The blog title rather than blog number can be displayed in the search engine friendly URL. | Enabled |
| Display forum thread or forum post title in the search engine friendly URL | Enabled | |
| Tracker title in SEFURL | To display the title, you should disable `Rewrite tiki-view_tracker.php?itemId=yyy to Prefixyyy page` | Disabled |
| Rewrite tiki-view_tracker.php?itemId=yyy to Prefixyyy page | This redirection uses the wiki prefix alias feature | Disabled |
| Use Only ASCII in SEFURLs | Do not use accented characters in short (search engine friendly) URLs. | Disabled |
| Option | Description | Default |
|---|---|---|
| Search engine friendly URL | If the site is using Apache, you can rename _htaccess as .htaccess to use short URLs. On IIS, rename web_config as web.config | Disabled |
| Canonical URL tag | Indicates to search engines which URL to use, to prevent duplicate listings | Enabled |
| HTTPS for user-specific links | When building notification emails, RSS feeds, the canonical URL or other externally available links, use HTTPS when the content applies to a specific user. HTTPS must be configured on the server. | Disabled |
| Canonical URL domain | If this is a testing site with duplicate content, you may want to put the real site domain here so search engines don't index the testing site. In complex perspective setups using multiple domains, you may want more control on which canonical domain is advertised. | None |
| Wiki URL scheme | Alter the SEFURL pattern for page names. Use the "View" action to regenerate your URLs after changing this setting. Replace spaces with dashes | Replace spaces with underscores | URL Encode (Tiki Classic) |
Replace spaces with dashes |
| Custom Routes | Custom routes allow the definition of URLs by the admin, that can be mapped to existing Tiki objects like pages and trackers. "Add BASE tag in the page HEAD" is required when you have "/" as part of the URL. | Disabled |
| Short URL | Provides the ability to create a short url, easy to share. | Disabled |
| Short URL base URL | The base URL that is used when generating short URLs, including the HTTP prefix, example: "http://www.example.com". By default will use the URL of the current website. | None |
| SEFURL postfilter | Do not enable this feature as most Tiki features output friendly URLs and this feature has high processor overhead. | Disabled |
| Max size of title in the search engine friendly URL (Tracker Items and Forum Threads) | Limit the number of characters in the tracker item or forum thread title. | 200 |
| Article title in SEFURL | The article title rather than article number can be displayed in the search engine friendly URL. | Enabled |
| Blog title in SEFURL | The blog title rather than blog number can be displayed in the search engine friendly URL. | Enabled |
| Display forum thread or forum post title in the search engine friendly URL | Enabled | |
| Tracker title in SEFURL | To display the title, you should disable `Rewrite tiki-view_tracker.php?itemId=yyy to Prefixyyy page` | Disabled |
| Rewrite tiki-view_tracker.php?itemId=yyy to Prefixyyy page | This redirection uses the wiki prefix alias feature | Disabled |
| Use Only ASCII in SEFURLs | Do not use accented characters in short (search engine friendly) URLs. | Disabled |
| Option | Description | Default |
|---|---|---|
| Search engine friendly URL | If the site is using Apache, you can rename _htaccess as .htaccess to use short URLs. On IIS, rename web_config as web.config | Disabled |
| Canonical URL tag | Indicates to search engines which URL to use, to prevent duplicate listings | Enabled |
| HTTPS for user-specific links | When building notification emails, RSS feeds, the canonical URL or other externally available links, use HTTPS when the content applies to a specific user. HTTPS must be configured on the server. | Disabled |
| Canonical URL domain | If this is a testing site with duplicate content, you may want to put the real site domain here so search engines don't index the testing site. In complex perspective setups using multiple domains, you may want more control on which canonical domain is advertised. | None |
| Wiki URL scheme | Alter the SEFURL pattern for page names. Use the "View" action to regenerate your URLs after changing this setting. Replace spaces with dashes | Replace spaces with underscores | URL Encode (Tiki Classic) |
Replace spaces with dashes |
| Custom Routes | Custom routes allow the definition of URLs by the admin, that can be mapped to existing Tiki objects like pages and trackers. "Add BASE tag in the page HEAD" is required when you have "/" as part of the URL. | Disabled |
| Short URL | Provides the ability to create a short url, easy to share. | Disabled |
| Short URL base URL | The base URL that is used when generating short URLs, including the HTTP prefix, example: "http://www.example.com". By default will use the URL of the current website. | None |
| SEFURL postfilter | Do not enable this feature as most Tiki features output friendly URLs and this feature has high processor overhead. | Disabled |
| Max size of title in the search engine friendly URL (Tracker Items and Forum Threads) | Limit the number of characters in the tracker item or forum thread title. | 200 |
| Article title in SEFURL | The article title rather than article number can be displayed in the search engine friendly URL. | Enabled |
| Blog title in SEFURL | The blog title rather than blog number can be displayed in the search engine friendly URL. | Enabled |
| Display forum thread or forum post title in the search engine friendly URL | Enabled | |
| Tracker title in SEFURL | To display the title, you should disable `Rewrite tiki-view_tracker.php?itemId=yyy to Prefixyyy page` | Disabled |
| Rewrite tiki-view_tracker.php?itemId=yyy to Prefixyyy page | This redirection uses the wiki prefix alias feature | Disabled |
| Use Only ASCII in SEFURLs | Do not use accented characters in short (search engine friendly) URLs. | Disabled |