Security is an important aspect of any online environment, especially your Higher Logic Vanilla (Vanilla) community. Your users trust that you are making sure that their data is securely stored and transmitted.
This article provides guidance on how to use and set the settings on the Security page (dashboard/settings/security) in the Dashboard.
Domain URLs - formatting & wildcards
This section provides information on how the formatting of URLs and the use of wildcards in URLs can affect the URL's validity. Before you configure your security settings, review this information for a better understanding of these aspects.
The URLs that are specified for your Trusted Domains and Content Security Domains fields have to be properly formatted in order to properly function and provide the expected data security.
✔️ TIP: A single asterisk (*) constitutes a "wildcard." This single character, however, can represent and be substituted with multiple characters. In other words, an * in a URL would interpret any number and type of characters as being "valid and allowed."
🛑 WARNING: Exercise caution when using and placing wildcards in a URL.
Below are a few examples of:
- domains that are valid (✅), and why
- domains that are not valid (❌), and why
- domains with wildcards that are valid (✅), and why
- domains with wildcards that are not valid (❌), and why
In these examples, the URL that was specified in the Trusted Domains and Content Security Domains fields is eventbrite.com.
- eventbrite.com ✅ (valid)
- events.eventbrite.com ❌ (not valid; "events" preceding the specified URL means that this will allow only content from the events subdomain of eventbrite.com)
- eventbrite.com/events ❌ (not valid; in this instance, "events" is a path, not the domain)
- *.eventbrite.com ✅ (valid; because of the wildcard, content from all subdomains of eventbrite.com is allowed)
- *.eventbrite.* ✅❌ (valid, but dangerous; the combination of preceding and following wildcards means "allow content from all Eventbrite sites, including overseas domains." This is risky because it would also allow content from spammer sites, such as eventbrite.phishingsite.com.)
Access the Security page
- Access the Dashboard.
- Navigate to Settings > Technical > Security.
📝 NOTE: When you set and/or change any settings on this page, be sure to scroll down and click Save.
Configure the security settings as described in the sections that follow.
Leave-the-forum setting
In a Vanilla community site, all links open in the current window. Links could be to a different page in the community or to an external site (which means navigating users out of your community site). Because of this, you can:
- enable the Link Types addon to automatically open external links in a new tab and/or
- enable this "leave-the-forum" setting to notify users when a clicked link (in a post) will take them away from Vanilla.
⚠️ IMPORTANT: The "current state" (ON/OFF) of this setting is applied to posts at the time of posting and does not change. Subsequent changes to this setting do not affect existing posts.
When users click an external link in a post:
- if this feature was OFF when the post was created, users are navigated out of Vanilla to the external link without a notification.
- if this feature was ON when the post was created:
- the current page refreshes and
- the "leave-the-forum" message informs the users that the link will navigate them away from the community, and users can either:
- click Back to return the Vanilla community page or
- click the link to continue to the external site.
📝 NOTE: Users who continue to the external site are not logged out of their current Vanilla session. (This does not affect the Session Timeout settings; the user simply loses the active tab that hosted the Vanilla community, unless the Link Types addon is enabled or they've right-clicked to open the link in a new tab/window.)
📝 NOTE: This feature does not apply to Smart Embed links. By design, Smart Embed links always open in a new tab/window.
Trusted Domain notes
- The "leave this page" message page does not open if the external link is to a Trusted Domain (described in the next section).
- This setting is enforced at the time of posting, not when the post is rendered on the site.
- This means that if you post a link to a site that is not on the Trusted Domain list while this feature is enabled, we will re-write the link to go through our alert page.
- If you then add the site to the Trusted Domain list, all subsequent links to the site will honor the "trusted" status and open accordingly, but the "pre-existing" posts will still go through our "leave this page" message page.
📝 NOTE: The inverse is true if you remove a site from the Trusted Domain list.
Trusted Domains
A trusted domain is a domain that is known to and trusted by your Vanilla community.
✔️ TIP: Refer to Domain URLs - formatting & wildcards, above, for information on specifying valid URLs and using wildcards in this field.
- If your Vanilla community uses Rich Editor 2, users will only be able to embed iFrame content in their posts and comments from domains you've specifically added to your trusted domains. For example, if
vidyard.com is not listed here, users will not be able to iFrame Vidyard videos in posts and comments. This is an intentional security measure that prevents users bringing content into your Vanilla community from unapproved, and potentially unsafe, sources.- Check out this article to learn more about iFrame embeds, including how to use them and examples of iFramed content.
- This caveat applies only to embedding iFrame content; Smart Embeds are always allowed because they are from pre-approved, "safe" sites, such as YouTube and Vimeo.
In this section, you can add any external domains that your community considers "safe." Your community users will not be notified when they click a link to a domain that is included in this list.
- Type/paste valid domain names, one per line, in the field.
📝 NOTE: The system queries this list even when the "Leave-the-forum" setting is disabled, in the event that a widget does not respect that setting.
- To learn about the Link Types addon which automatically opens external URLs in a new browser tab, see:
Content Security Domains
You can specify a list of domains that are safe to load JavaScript from.
✔️ TIP: Refer to Domain URLs - formatting & wildcards, above, for information on specifying valid URLs and using wildcards in this field.
- Type/paste valid domain names, one per line, in the field.
HTTP Strict Transport Security (HSTS) Settings
HTTP Strict Transport Security (HSTS) protects websites against attacks and it allows web servers to "tell" web browsers that they should automatically interact with it using only the more secure, HTTPS connections, instead of HTTP.
This section has three settings that work independent of one another but which, when used together, offer maximum security and protection for your Vanilla community.
📝 NOTE: Under the section title, right-click and open (in a new tab) the HSTS Preload List Submission page to specify any domains you want included in Google Chrome's preload list. The page includes a link if you want to preload domains for other browsers, too.
Max Age
This specifies the length of time, after receiving the STS header field, that the sending host is a known HSTS Host.
- Choose an option to set the length of time.
Include Subdomains
This signals that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host's domain name.
- Slide the toggle to the right to include your subdomains.
Preload
This makes it possible for website admins to have UAs pre-configured with HSTS Policy for their sites by the UA vendors.
- Slide the toggle to the right to enable preloading.
Logins
Use this section to manage user-session settings for your Vanilla community.
Session Timeout
You can set a timeout threshold for user sessions. If a user is signed in but inactive for the set time period, the system automatically signs out that user as a security measure.
- Click the dropdown to choose one of several timeout periods, ranging from 1 hour to 1 month.
📝 NOTE: This is applicable to the Basic and Approval registration types only. It's not applicable if you're using SSO.
Password Minimum Length
You can set the minimum number of characters that are required for user passwords in your community.
- The default is 12 characters.
Password notes
- This requirement is enforced on all password "create" and "reset" pages.
- The "strength" of user passwords in your community is determined solely by the password length because Vanilla does not require numbers or "special" characters in user passwords.
- Numbers and "special" characters are acceptable, but optional.
✔️ TIP: To learn more about Vanilla user passwords and their requirements, see Account Password Overview.
Number of Login Attempts
You can set a threshold for the maximum number of successive login attempts. A user who reaches this number of attempts and has not logged in is then locked out of their account.
- A user who gets locked out can:
- request help from an account Admin;
- wait the Lockout Time (described below) and then try again to log in.
- To disable this setting, specify 0.
Lockout Time (seconds)
You can set a "wait" time for account lockouts. Users who are locked out of their accounts — due to exceeding the set number of unsuccessful login attempts — have to wait <Lockout_Time_setting> before they can try to log in.
✔️ TIP: Use this in conjunction with the Number of Login Attempts setting above.
- Note that this setting is in seconds, not minutes. In the image above, 1800 seconds is set in order to achieve a half-hour lockout.
- To disable this setting, specify 0.
Anonymize IP Addresses
You can set whether users' IP addresses are "anonymized" and to what degree. When an IP address is anonymized, user privacy is more protected but some Vanilla community Admin tools become less effective.
📝 NOTE: In Vanilla, some Admin tools (ban rules, moderation, spam prevention) collect users' IP addresses in order to function as designed. IP Anonymization will reduce the effectiveness of these tools.
Vanilla offers three levels of anonymization in the dropdown:
Option | Description |
|---|
No Anonymization | Choose this option in order to disable anonymization. |
Partial Anonymization | Anonymizes the last octet of IP addresses. - Example: 254.230.05.153 is anonymized to 254.230.05.0
- Effects: Provides some anonymization; IP Ban rules still function
|
Full Anonymization | Anonymizes entire IP addresses. - Example: 254.230.05.153 is anonymized to 0.0.0.0
- Effect: Provides full anonymization; IP Ban rules no longer function as intended
|
Third-party scripts
To enhance the flexibility and security of your Vanilla community when incorporating third-party content, Vanilla provides an option to conditionally include the "strict-dynamic" directive in your community's Content Security Policy (CSP).
Check out the article below to learn more.
