You'll find in tiki-admin.php?page=security
The stronger settings are activated by default in new installs of Tiki25+. For previous versions, and if upgrading from <=24 to =>25, you need to activate manually. We chose not to make this automatic because these higher security measures can cause some side-effects on highly customized Tiki instances.
| Name | Description | Introduced in Tiki version |
| HTTP header X-Frame-Options | The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a | 16 |
| HTTP Header X-XSS-Protection | The X-XSS-Protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers | 16 |
| HTTP Header X-Content-Type-Options | The X-Content-Type-Options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. | 17 |
| HTTP Header Content-Security-Policy | The Content-Security-Policy header allows web site administrators to control resources the user agent is allowed to load for a given page. | 17 |
| HTTP Header Strict-Transport-Security | The Strict-Transport-Security header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. | 17 |
| HTTP Header Public-Key-Pins | The Public-Key-Pins header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. | 17 |
| HTTP Header Set-Cookie | The HTTP Set-Cookie response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response. The Set-Cookie header has the following attributes: cookie-name: Defines the cookie name and its value. A cookie definition begins with a name-value pair. Domain: Defines the host to which the cookie will be sent. Expires: Indicates the maximum lifetime of the cookie as an HTTP-date timestamp. See Date for the required formatting. If unspecified, the cookie becomes a session cookie. A session finishes when the client shuts down, after which the session cookie is removed. Max Age: Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both Expires and Max-Age are set, Max-Age has precedence. Partitioned: Indicates that the cookie should be stored using partitioned storage. Note that if this is set, the Secure directive must also be set. See Cookies Having Independent Partitioned State (CHIPS) for more details. Path: Indicates the path that must exist in the requested URL for the browser to send the Cookie header. SameSite: Controls whether or not a cookie is sent with cross-site requests: that is, requests originating from a different site, including the scheme, from the site that set the cookie. This provides some protection against certain cross-site attacks, including cross-site request forgery (CSRF) attacks. Secure: Indicates that the cookie is sent to the server only when a request is made with the https: scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks. | 31 |