Security is an important aspect of any online environment, especially your Higher Logic Vanilla (Vanilla) community. Your users trust that you are making sure that their data is securely stored and transmitted.
This article provides guidance on how to manage the settings on the Security page in the Dashboard.
Domain URLs - formatting & wildcards
NOTE: This section explains how the formatting of URLs and the use of wildcards in URLs can affect the URL's validity. Review this information first before you configure your security settings.
The URLs that are specified for your Trusted Domains and Content Security Domains fields must be formatted properly in order to function and provide the expected data security.
TIP: A single asterisk (*) constitutes a "wildcard." This single character, however, can represent and be substituted with multiple characters. In other words, an * in a URL would interpret any number and type of characters as being "valid and allowed."
IMPORTANT: Exercise caution when using and placing wildcards in a URL.
Below are a few examples of:
- domains that are valid (✅), and why
- domains that are not valid (❌), and why
- domains with wildcards that are valid (✅), and why
- domains with wildcards that are not valid (❌), and why
In these examples, the URL that was specified in the Trusted Domains and Content Security Domains fields is eventbrite.com.
- eventbrite.com ✅ (valid)
- events.eventbrite.com ❌ (not valid; "events" preceding the specified URL means that this will allow only content from the events subdomain of eventbrite.com)
- eventbrite.com/events ❌ (not valid; in this instance, "events" is a path, not the domain)
- *.eventbrite.com ✅ (valid; because of the wildcard, content from all subdomains of eventbrite.com is allowed)
- *.eventbrite.* ✅❌ (valid, but dangerous; the combination of preceding and following wildcards means "allow content from all Eventbrite sites, including overseas domains." This is risky because it would also allow content from spammer sites, such as eventbrite.phishingsite.com.)
Access the Security page
- Access the Dashboard.
- Navigate to Settings > Technical > Security.
NOTE: When you set and/or change any settings on this page, you must scroll down and click Save to apply them.
Configure the security settings as described in the sections that follow.
Leave-the-forum setting
In a Vanilla community site, all links open in the current window. Links could be to a different page in the community or to an external site (which means navigating users away from your community). To provide a guardrail to this, you can either:
- enable the Link Types addon to automatically open external links in a new tab and/or
- enable this "leave-the-forum" setting to notify users when a clicked link (in a post) will navigate them to an external page outside your community.
IMPORTANT: There is some nuance to how this feature works and is applied to your posts: The "current state" (ON/OFF) of this setting is applied to posts at the time of posting and does not change. Subsequent changes to this setting do not affect existing posts.
When users click an external link in a post:
- if this feature was OFF when the post was created, users are navigated out of Vanilla to the external link without a notification.
- if this feature was ON when the post was created:
- the current page refreshes and
- the "leave-the-forum" message informs the users that the link will navigate them away from the community, and users can either:
- click Back to return the Vanilla community page or
- click the link to continue to the external site.
NOTE: Users who continue to the external site are not logged out of their current Vanilla session. (This does not affect the Session Timeout settings; the user simply loses the active tab that hosted the Vanilla community, unless the Link Types addon is enabled or they've right-clicked to open the link in a new tab/window.)
NOTE: This feature does not apply to Smart Embed links. By design, Smart Embed links always open in a new tab/window.
Trusted Domain notes
- The "leave this page" message page does not display if the external link is to a Trusted Domain (described in the next section).
- This setting is enforced at the time of posting, not when the post is rendered on the site.
- This means that if you post a link to a site that is not on the Trusted Domain list while this feature is enabled, we will re-write the link to go through our alert page.
- If you then add the site to the Trusted Domain list, all subsequent links to the site will honor the "trusted" status and open accordingly, but the "pre-existing" posts will still go through our "leave this page" message page.
NOTE: The inverse is true if you remove a site from the Trusted Domain list.
Trusted Domains
A trusted domain is a domain that is known to and trusted by your Vanilla community.
TIP: Refer to the Domain URLs - formatting & wildcards section, above, for information on specifying valid URLs and using wildcards in this field.
- If your Vanilla community uses Rich Editor, users will only be able to embed iFrame content in their posts and comments from domains you've specifically added to your trusted domains. For example, if
vidyard.com is not listed here, users will not be able to iFrame Vidyard videos in posts and comments. This is an intentional security measure that prevents users bringing content into your Vanilla community from unapproved, and potentially unsafe, sources.- Check out this article to learn more about iFrame embeds, including how to use them and examples of iFramed content.
- This caveat applies only to embedding iFrame content; Smart Embeds are always allowed because they are from pre-approved, "safe" sites, such as YouTube and Vimeo.
In the Trusted Domains section, you can add any external domains that your community considers "safe." Your community users will not be notified when they click a link to a domain that is included in this list.
- Type/paste valid domain names, one per line, in the field.
NOTE: The system queries this list even when the "Leave-the-forum" setting is disabled, in the event that a widget does not respect that setting.
- To learn about the Link Types addon, which automatically opens external URLs in a new browser tab, see:
Content Security Domains
In the Content Security Domains section, you can specify a list of domains that are safe to load JavaScript from.
- Type/paste valid domain names, one per line, in the field.
TIP: Refer to Domain URLs - formatting & wildcards, above, for information on specifying valid URLs and using wildcards in this field.
HTTP Strict Transport Security Settings
HTTP Strict Transport Security (HSTS) protects websites against attacks and it allows web servers to "tell" web browsers that they should automatically interact with it using only the more secure, HTTPS connections, instead of HTTP.
This section has three settings that work independently of one another but which, when used together, offer maximum security and protection for your Vanilla community.
NOTE: Under the section title, right-click and open (in a new tab) the HSTS Preload List Submission page to specify any domains you want included in Google Chrome's preload list. The page includes a link if you want to preload domains for other browsers, too.
Max Age
This specifies the length of time, after receiving the STS header field, that the sending host is a known HSTS Host. Choose an option to set the length of time:
- 1 week
- 1 month
- 1 year
- 2 years
TIP: Vanilla recommends starting with a max age of 1 week, and then increasing it to 1 month, then 1 year, once your site works as expected.
Include Subdomains
If enabled, this signals that the HSTS Policy applies to this HSTS Host, as well as any subdomains of the host's domain name.
IMPORTANT: Only enable this feature if you're sure all of your subdomains are configured for HTTPS with valid certificates.
Preload
For context, browser vendors (Chrome, Firefox, Edge, Safari, etc.) ship their browsers with a built-in list of sites that must always use HTTPS.
By enabling the Preload option, this makes it possible for website admins to have User Agents (UAs) pre-configured with HSTS Policy for their sites by the UA browser vendors.
IMPORTANT: While it's recommended to use HSTS preloading as a best practice, you must submit your site to hstspreload.org to ensure that it's successfully pre-loaded (i.e., to get the full protection for the intended configuration).
When you submit your domain to hstspreload.org:
- Your domain gets added to the HSTS preload list.
- That list is baked directly into browser source code.
- Every major browser (the UAs) includes that list in releases.
- The browser will force HTTPS before any request is even made.
Logins
Use the options in the Logins section to manage user-session settings for your Vanilla community.
Session Timeout
You can set a timeout threshold for user sessions. If a user is signed in but inactive for the set time period, the system automatically signs out that user as a security measure.
- Click the dropdown to choose one of several timeout periods, ranging from 1 hour to 1 month.
NOTE: This is applicable to the Basic and Approval registration types only. It's not applicable if you're using SSO.
Password Minimum Length
You can set the minimum number of characters that are required for user passwords in your community.
- The default is 12 characters.
Password notes
- This requirement is enforced on all password "create" and "reset" pages.
- The "strength" of user passwords in your community is determined solely by the password length because Vanilla does not require numbers or "special" characters in user passwords.
- Numbers and "special" characters are acceptable, but optional.
Number of Login Attempts
You can set a threshold for the maximum number of successive login attempts. A user who reaches the set limit and has not successfully logged in is then locked out of their account.
- A user who gets locked out can:
- request help from an account Admin;
- wait the Lockout Time (described below) and then try again to log in.
- To disable this setting, specify 0.
Lockout Time (seconds)
You can set a "wait" time for account lockouts. Users who are locked out of their accounts, due to exceeding the set number of unsuccessful login attempts, have to wait <Lockout_Time_setting> before they can try to log in again.
TIP: Use this in conjunction with the Number of Login Attempts setting above.
- Note that this setting is in seconds, not minutes. In the image above, 1800 seconds is set in order to achieve a half-hour lockout.
- To disable this setting, specify 0.
Anonymize IP Addresses
You can set whether users' IP addresses are "anonymized" and to what degree. When an IP address is anonymized, user privacy is more protected but some Vanilla community Admin tools become less effective.
NOTE: In Vanilla, some Admin tools (ban rules, moderation, spam prevention) collect users' IP addresses in order to function as designed. IP Anonymization will reduce the effectiveness of these tools.
Vanilla offers three levels of anonymization in the dropdown:
Option | Description |
|---|
No Anonymization | Choose this option to disable anonymization. |
Partial Anonymization | Anonymizes the last octet of IP addresses. - Example: 254.230.05.153 is anonymized to 254.230.05.0
- Effects: Provides some anonymization; IP Ban rules still function
|
Full Anonymization | Anonymizes entire IP addresses. - Example: 254.230.05.153 is anonymized to 0.0.0.0
- Effect: Provides full anonymization; IP Ban rules no longer function as intended
|
Third-party scripts
To enhance the flexibility and security of your Vanilla community when incorporating third-party content, Vanilla provides an option to conditionally include the "strict-dynamic" directive in your community's Content Security Policy (CSP).
Check out the article below to learn more.