Security Settings in Vanilla - HL Vanilla Community
<main> <article class="userContent"> <p>Security is an important aspect of any online environment, especially your Vanilla community. Your users trust that you are making sure that <em>their data is stored and transmitted securely</em>.</p><p>This article provides guidance on how to <strong>use and set the settings</strong> on the Security (dashboard/settings/security) page in the Dashboard.</p><h2 data-id="access-the-security-page">Access the Security page</h2><ol><li>Access the Dashboard.</li><li>Navigate to <strong>Settings > Technical > Security</strong>.</li></ol><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/0HCY8RNZVHEX/nav-security-page.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/0HCY8RNZVHEX/nav-security-page.png" alt="NAV-Security page.png" height="388" width="845" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p>📝 <strong>NOTE</strong>: When you set and/or change any settings on this page, be sure to scroll down and click <strong>Save</strong>.</p><p>Configure the security settings as described in the sections that follow.</p><h2 data-id="leave-the-forum-alert">Leave-the-forum alert</h2><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/CMC4AQPBBMFS/link-warning-enable.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/CMC4AQPBBMFS/link-warning-enable.png" alt="Link warning enable.png" height="308" width="621" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p>Use this toggle to enable a system message that displays when users click any <strong>external link</strong> <em>in a post</em>. The message alerts users that the link will navigate them away from the community.</p><p>When enabled and an external link is clicked, the current page refreshes and displays the "leave this page" alert. Users can either:</p><ul><li>click Back to return the Vanilla community page or</li><li>click the link to continue to the external site.</li></ul><h3 data-id="notes">Notes</h3><ul><li><strong>Trusted Domain</strong> - The system-message page does <strong>not</strong> open if the external link is to a Trusted Domain (described in the next section).</li><li><strong>External Links</strong> - In Vanilla, all links <em>open in the current window</em>, possibly navigating you out of your Vanilla community site. To prevent this, enable the <a href="https://success.vanillaforums.com/kb/articles/565" rel="nofollow noreferrer ugc">Link Types</a> addon.</li><li><strong>Smart Embeds</strong> - This does <strong>not</strong> apply to <a href="https://success.vanillaforums.com/kb/articles/56" rel="nofollow noreferrer ugc">Smart Embed links</a>. By design, Smart Embed links <em>always open in a new tab/window</em>.</li><li><strong>User Sessions</strong> - If a user continues to the external site, are they <strong>not</strong> logged out of their current Vanilla session. (This does not affect the <em>Session Timeout</em> settings; the user simply loses the tab that hosted the Vanilla community, unless the <a href="https://success.vanillaforums.com/kb/articles/565" rel="nofollow noreferrer ugc">Link Types</a> addon is enabled or they've right-clicked to open the link in a new tab/window.)</li></ul><h2 data-id="trusted-domains">Trusted Domains</h2><p>A <strong>trusted domain</strong> is a domain that is known to and trusted by your Vanilla community.</p><ul><li>If your Vanilla community uses <em>Rich Editor 2</em>, users will only be able to embed <strong>iFrame </strong>content in their discussions and comments from domains <em>you've specifically added to your trusted domains</em>. For example, if <code class="code codeInline" spellcheck="false" tabindex="0">vidyard.com</code> is not listed here, users will not be able to iFrame Vidyard videos in their discussions/comments. This is done intentionally to ensure users cannot bring content into your Vanilla community from unapproved, and potentially unsafe, sources.<ul><li><a href="https://success.vanillaforums.com/kb/articles/336" rel="nofollow noreferrer ugc">Check out this article</a> to learn more about iFrame embeds, including how to use them and examples of iFramed content in action. </li></ul></li><li>This caveat only applies to embedding iFrame content; <strong>Smart Embeds</strong> are always allowed, as they are from pre-approved, "safe" sites, such as YouTube, Vimeo, etc.<ul><li> <a href="https://success.vanillaforums.com/kb/articles/330" rel="nofollow noreferrer ugc">Check out this article</a> to learn how to use Smart Embeds, and which sites are approved.</li></ul></li></ul><p>✔️ <strong>TIP</strong>: Refer to <strong>Formatting domain URLs</strong>, below, for information on specifying valid URLs and using wildcards in this field.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/KGAUDQTYVZUU/trusted-domains.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/KGAUDQTYVZUU/trusted-domains.png" alt="Trusted Domains.png" height="168" width="686" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p>In this section, you can add any external domains that your community considers "safe." Your community users will <strong>not</strong> be alerted when they click a link to a domain that is included in this "safelist."</p><ul><li>Type/paste valid domain names, <em>one per line</em>, in the field.</li></ul><p>📝 <strong>NOTE</strong>: The system queries this list even when the "Leave-the-Forum alert" is disabled, in the event that a widget does not respect the alert setting.</p><ul><li>To learn about the <strong>Link Types </strong>addon which <em>automatically opens external URLs in a new browser tab</em>, see:</li></ul><div class="js-embed embedResponsive" data-embedjson="{"body":"When enabled, the Link Types addon automatically opens links that are not on the same domain as your Higher Logic Vanilla community (i.e., external URLs) in a new browser tab. ⭐️ EXAMPLE: If a user is on higherlogic.vanilla.com and clicks a link to visit a third-party integration web site, it will open in a new tab;…","photoUrl":"https:\/\/us.v-cdn.net\/6030677\/uploads\/VWGAXAF5OFCO\/microsoftteams-image.png","url":"https:\/\/success.vanillaforums.com\/kb\/articles\/565","embedType":"link","name":"Link Types - Vanilla Success"}"> <a href="https://success.vanillaforums.com/kb/articles/565" rel="nofollow noreferrer ugc"> https://success.vanillaforums.com/kb/articles/565 </a> </div><h2 data-id="content-security-domains">Content Security Domains</h2><p>You can specify a list of domains that are safe to load JavaScript from.</p><p>✔️ <strong>TIP</strong>: Refer to <strong>Formatting domain URLs</strong>, below, for information on specifying valid URLs and using wildcards in this field.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/LBMBTJMQMYLV/content-security-domains.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/LBMBTJMQMYLV/content-security-domains.png" alt="Content Security Domains.png" height="170" width="686" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <ul><li>Type/paste valid domain names, <em>one per line</em>, in the field.</li></ul><h2 data-id="formatting-domain-urls">Formatting domain URLs</h2><p>It's important that the URLs of your <strong>Trusted Domains</strong> and <strong>Content Security Domains</strong> fields are properly formatted.</p><p>⭐️ <strong>EXAMPLE</strong>: Below are a few examples that illustrate:</p><ul><li>domains that <strong>are</strong> and <strong>are not</strong> valid, and why</li><li>domains <em>with wildcards</em> that <strong>are</strong> and <strong>are not</strong> valid, and why</li></ul><p>Specified URL = <code class="code codeInline" spellcheck="false" tabindex="0">eventbrite.com</code></p><ul><li>eventbrite.com ✅ (valid)</li><li>events.eventbrite.com ❌ (not valid; "events" is <em>part of</em> the domain name)</li><li>eventbrite.events.com ❌ (not valid; "events" is <em>the domain name</em>)</li><li>eventbrite.com/events ✅ (valid; "events" is <em>after</em> the domain name)</li></ul><p>Specified URL = <code class="code codeInline" spellcheck="false" tabindex="0">*.eventbrite.*</code> (note the <strong>asterisk character</strong> [<strong>*</strong>] as wildcard); allows traffic to all Eventbrite sites (www.eventbrite.com, eventbrite.com, eventbright.com.au, eventbrite.de, etc.)</p><ul><li>eventbrite.com ✅ (valid)</li><li>events.eventbrite.com ✅ (valid; "events" is acceptable in this position of the domain name due to the wildcard)</li><li>eventbrite.events.com ✅ (valid; "events" is acceptable in this position of the domain name due to the wildcard)</li><li>eventbrite.com/events ✅ (valid; "events" is <em>after</em> the domain name so the wildcarding is not applicable)</li></ul><h2 data-id="http-strict-transport-security-(hsts)-settings">HTTP Strict Transport Security (HSTS) Settings</h2><p><strong>HTTP Strict Transport Security</strong> (<strong>HSTS</strong>) helps protect websites against attacks and it allows web servers to "tell" web browsers that they should automatically interact with it using only the more secure, <em>HTTPS connections</em>, instead of HTTP.</p><p>This section has three options that work independent of one another but which, when used together, offer maximum security and protection.</p><p>📝 <strong>NOTE</strong>: Right-click and open (in a new tab) the HSTS Preload page to specify any domains you want included in Google Chrome's preload list.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/FASUONNUTYO2/http-strict-transport-security.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/FASUONNUTYO2/http-strict-transport-security.png" alt="HTTP Strict Transport Security.png" height="389" width="795" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <h3 data-id="max-age">Max Age</h3><p>This specifies the length of time, after receiving the STS header field, that the sending host is a known <strong>HSTS Host</strong>.</p><ul><li>Choose one of the options to set the length of time.</li></ul><h3 data-id="include-subdomains">Include Subdomains</h3><p>This signals that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host's domain name.</p><ul><li>Slide the toggle to the right to enable this rule.</li></ul><h3 data-id="preload">Preload</h3><p>This makes it possible for website admins to have UAs pre-configured with HSTS Policy for their sites by the UA vendors.</p><ul><li>Slide the toggle to the right to enable preloading.</li></ul><h2 data-id="logins-section">Logins section</h2><p>These settings are specific to the user experience in your Vanilla community.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/8E2E695E606D/logins.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/8E2E695E606D/logins.png" alt="Logins.png" height="219" width="681" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <h3 data-id="session-timeout">Session Timeout</h3><p>You can set a <em>timeout threshold for user sessions</em>. If a user is signed in but inactive for the set duration, the system automatically signs out that user as a security measure.</p><ul><li>Click the dropdown to choose one of several timeout periods, ranging from <strong>1 hour</strong> to <strong>1 month</strong>.</li></ul><p>📝 <strong>NOTE</strong>: This is applicable to the Basic and Approval registration types only. It's not applicable if you're using SSO.</p><h3 data-id="password-minimum-length">Password Minimum Length</h3><p>You can set the <em>minimum number of required characters</em> for your community’s user passwords.</p><ul><li>The default minimum length is <strong>12 characters</strong>.</li></ul><h4 data-id="password-notes">Password notes</h4><ul><li>This requirement is enforced on all password "create" and "reset" pages.</li><li>The "strength" of user passwords in your Vanilla community is determined solely by the password length because Vanilla does not require numbers or "special" characters in user passwords.<ul><li>Numbers and "special" characters are acceptable, but <em>optional</em>.</li></ul></li></ul><p>To learn more about <em>Vanilla user passwords and their requirements</em>, see:</p><div class="js-embed embedResponsive" data-embedjson="{"body":"This article covers everything you need to know about passwords in Higher Logic Vanilla (Vanilla). Password requirements Password strength in your Vanilla community is determined by its length. The default minimum password length is 12. Numbers and special characters (!, @, etc.) are not required. Are these default…","photoUrl":"https:\/\/us.v-cdn.net\/6030677\/uploads\/VWGAXAF5OFCO\/microsoftteams-image.png","url":"https:\/\/success.vanillaforums.com\/kb\/articles\/88","embedType":"link","name":"Account Password Overview - Vanilla Success"}"> <a href="https://success.vanillaforums.com/kb/articles/88" rel="nofollow noreferrer ugc"> https://success.vanillaforums.com/kb/articles/88 </a> </div><p><br></p> </article> </main>