Security is an important aspect of any online environment, especially your Vanilla community. Your users trust that you are making sure that their data is stored and transmitted securely.
This article provides guidance on how to use and set the settings on the Security (dashboard/settings/security) page in the Dashboard.
Access the Security page
- Access the Dashboard.
- Navigate to Settings > Technical > Security.
📝 NOTE: When you set and/or change any settings on this page, be sure to scroll down and click Save.
Configure the security settings as described in the sections that follow.
Leave-the-forum alert
Use this toggle to enable a system message that displays when users click any external link in a post. The message alerts users that the link will navigate them away from the community.
When enabled and an external link is clicked, the current page refreshes and displays the "leave this page" alert. Users can either:
- click Back to return the Vanilla community page or
- click the link to continue to the external site.
Notes
- Trusted Domain - The system-message page does not open if the external link is to a Trusted Domain (described in the next section).
- External Links - In Vanilla, all links open in the current window, possibly navigating you out of your Vanilla community site. To prevent this, enable the Link Types addon.
- Smart Embeds - This does not apply to Smart Embed links. By design, Smart Embed links always open in a new tab/window.
- User Sessions - If a user continues to the external site, are they not logged out of their current Vanilla session. (This does not affect the Session Timeout settings; the user simply loses the tab that hosted the Vanilla community, unless the Link Types addon is enabled or they've right-clicked to open the link in a new tab/window.)
Trusted Domains
A trusted domain is a domain that is known to and trusted by your Vanilla community.
- If your Vanilla community uses Rich Editor 2, users will only be able to embed iFrame content in their discussions and comments from domains you've specifically added to your trusted domains. For example, if
vidyard.com is not listed here, users will not be able to iFrame Vidyard videos in discussions and comments. This is an intentional security measure that prevents users bringing content into your Vanilla community from unapproved, and potentially unsafe, sources.- Check out this article to learn more about iFrame embeds, including how to use them and examples of iFramed content.
- This caveat only applies to embedding iFrame content; Smart Embeds are always allowed because they are from pre-approved, "safe" sites, such as YouTube and Vimeo.
✔️ TIP: Refer to Formatting domain URLs, below, for information on specifying valid URLs and using wildcards in this field.
In this section, you can add any external domains that your community considers "safe." Your community users will not be alerted when they click a link to a domain that is included in this "safelist."
- Type/paste valid domain names, one per line, in the field.
📝 NOTE: The system queries this list even when the "Leave-the-Forum alert" is disabled, in the event that a widget does not respect the alert setting.
- To learn about the Link Types addon which automatically opens external URLs in a new browser tab, see:
Content Security Domains
You can specify a list of domains that are safe to load JavaScript from.
✔️ TIP: Refer to Formatting domain URLs, below, for information on specifying valid URLs and using wildcards in this field.
- Type/paste valid domain names, one per line, in the field.
Formatting domain URLs
It's important that the URLs of your Trusted Domains and Content Security Domains fields are properly formatted.
⭐️ EXAMPLE: Below are a few examples that illustrate:
- domains that are and are not valid, and why
- domains with wildcards that are and are not valid, and why
Specified URL = eventbrite.com
- eventbrite.com ✅ (valid)
- events.eventbrite.com ❌ (not valid; "events" is part of the domain name)
- eventbrite.events.com ❌ (not valid; "events" is the domain name)
- eventbrite.com/events ✅ (valid; "events" is after the domain name)
Specified URL = *.eventbrite.* (note the asterisk character [*] as wildcard); allows traffic to all Eventbrite sites (www.eventbrite.com, eventbrite.com, eventbright.com.au, eventbrite.de, etc.)
- eventbrite.com ✅ (valid)
- events.eventbrite.com ✅ (valid; "events" is acceptable in this position of the domain name due to the wildcard)
- eventbrite.events.com ✅ (valid; "events" is acceptable in this position of the domain name due to the wildcard)
- eventbrite.com/events ✅ (valid; "events" is after the domain name so the wildcarding is not applicable)
HTTP Strict Transport Security (HSTS) Settings
HTTP Strict Transport Security (HSTS) helps protect websites against attacks and it allows web servers to "tell" web browsers that they should automatically interact with it using only the more secure, HTTPS connections, instead of HTTP.
This section has three options that work independent of one another but which, when used together, offer maximum security and protection.
📝 NOTE: Right-click and open (in a new tab) the HSTS Preload page to specify any domains you want included in Google Chrome's preload list.
Max Age
This specifies the length of time, after receiving the STS header field, that the sending host is a known HSTS Host.
- Choose one of the options to set the length of time.
Include Subdomains
This signals that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host's domain name.
- Slide the toggle to the right to enable this rule.
Preload
This makes it possible for website admins to have UAs pre-configured with HSTS Policy for their sites by the UA vendors.
- Slide the toggle to the right to enable preloading.
Logins
Use this section to manage user-session settings for your Vanilla community.
Session Timeout
You can set a timeout threshold for user sessions. If a user is signed in but inactive for the set time period, the system automatically signs out that user as a security measure.
- Click the dropdown to choose one of several timeout periods, ranging from 1 hour to 1 month.
📝 NOTE: This is applicable to the Basic and Approval registration types only. It's not applicable if you're using SSO.
Password Minimum Length
You can set the minimum number of characters that are required for user passwords in your community.
- The default is 12 characters.
Password notes
- This requirement is enforced on all password "create" and "reset" pages.
- The "strength" of user passwords in your community is determined solely by the password length because Vanilla does not require numbers or "special" characters in user passwords.
- Numbers and "special" characters are acceptable, but optional.
✔️ TIP: To learn more about Vanilla user passwords and their requirements, see Account Password Overview.
Number of Login Attempts
You can set a threshold for the maximum number of successive login attempts. A user who reaches this number of attempts and has not logged in is then locked out of their account.
- A user who gets locked out can:
- request help from an account Admin;
- wait the Lockout Time (described below) and then try again to log in.
- To disable this setting, specify 0.
Lockout Time (seconds)
You can set a "wait" time for account lockouts. Users who are locked out of their accounts — due to exceeding the set number of unsuccessful login attempts — have to wait <Lockout_Time_setting> before they can try to log in.
✔️ TIP: Use this in conjunction with the Number of Login Attempts setting above.
- Note that this setting is in seconds, not minutes. In the image above, 1800 seconds is set in order to achieve a half-hour lockout.
- To disable this setting, specify 0.
Anonymize IP Addresses
You can set whether users' IP addresses are "anonymized" and to what degree. When an IP address is anonymized, user privacy is more protected but some Vanilla community Admin tools become less effective.
📝 NOTE: In Vanilla, some Admin tools (ban rules, moderation, spam prevention) collect users' IP addresses in order to function as designed. IP Anonymization will reduce the effectiveness of these tools.
Vanilla offers three levels of anonymization in the dropdown:
Option | Description |
|---|
No Anonymization | Choose this option in order to disable anonymization. |
Partial Anonymization | Anonymizes the last octet of IP addresses. - Example: 254.230.05.153 is anonymized to 254.230.05.0
- Effects: Provides some anonymization; IP Ban rules still function
|
Full Anonymization | Anonymizes entire IP addresses. - Example: 254.230.05.153 is anonymized to 0.0.0.0
- Effect: Provides full anonymization; IP Ban rules no longer function as intended
|
