Security
in package
Configuration file: Config\Security.
Table of Contents
- $allowedConnectDomains : mixed
- Allowed domains which can be loaded using script interfaces.
- $allowedDomainsLoadInFrame : mixed
- Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
- $allowedFormDomains : mixed
- Allowed domains which can be used as the target of a form submissions from a given context, used in CSP.
- $allowedFrameDomains : mixed
- Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed> or <applet> and validate referer.
- $allowedImageDomains : mixed
- Allowed domains for loading images, used in CSP.
- $allowedScriptDomains : mixed
- Allowed domains for loading script, used in CSP.
- $apiLifetimeSessionCreate : mixed
- Maximum session lifetime from the time it was created (in minutes)
- $apiLifetimeSessionUpdate : mixed
- Maximum session lifetime since the last modification (in minutes)
- $askAdminAboutVisitPurpose : bool
- $askAdminAboutVisitSwitchUsers : bool
- $askSuperUserAboutVisitPurpose : bool
- $CACHE_LIFETIME_SENSIOLABS_SECURITY_CHECKER : mixed
- Cache lifetime for SensioLabs security checker.
- $CACHING_PERMISSION_TO_RECORD : mixed
- Configuration of the permission mechanism on records list.
- $CHANGE_LOGIN_PASSWORD : mixed
- Changing the settings by the user is possible true/false
- $cookieForceHttpOnly : mixed
- Force the use of https only for cookie.
- $cookieSameSite : mixed
- Same-site cookie attribute allows a web application to advise the browser that cookies should only be sent if the request originates from the website the cookie came from.
- $cspHeaderActive : mixed
- HTTP Content Security Policy response header allows website administrators to control resources the user agent is allowed to load for a given page
- $cspHeaderTokenTime : mixed
- HTTP Content Security Policy time interval for generating a new nonce token
- $csrfActive : mixed
- Enable CSRF protection
- $csrfFrameBreaker : mixed
- Enable verified frame protection, used in CSRF
- $csrfFrameBreakerWindow : mixed
- Which window should be verified? It is used to check if the system is loaded in the frame, used in CSRF.
- $csrfLifetimeToken : mixed
- Default expire time of CSRF token in seconds
- $EMAIL_FIELD_RESTRICTED_DOMAINS_ACTIVE : mixed
- Restricted domains allow you to block saving an email address from a given domain in the system.
- $EMAIL_FIELD_RESTRICTED_DOMAINS_ALLOWED : mixed
- List of modules where restricted domains are enabled, if empty it will be enabled everywhere.
- $EMAIL_FIELD_RESTRICTED_DOMAINS_EXCLUDED : mixed
- List of modules excluded from restricted domains validation.
- $EMAIL_FIELD_RESTRICTED_DOMAINS_VALUES : mixed
- Restricted domains
- $fieldsReferencesDependent : mixed
- Interdependent reference fields
- $forceHttpsRedirection : mixed
- Force site access to always occur under SSL (https) for selected areas. You will not be able to access selected areas under non-ssl. Note, you must have SSL enabled on your server to utilise this option.
- $forceUrlRedirection : mixed
- Redirect to proper url when wrong url is entered.
- $generallyAllowedDomains : mixed
- Generally allowed domains, used in CSP.
- $hpkpKeysHeader : mixed
- HTTP Public-Key-Pins (HPKP) pin-sha256 For HPKP to work properly at least 2 keys are needed.
- $LOGIN_PAGE_REMEMBER_CREDENTIALS : mixed
- Remember user credentials
- $loginSessionRegenerate : mixed
- Update the current session id with a newly generated one after login and logout
- $maxLifetimeSession : mixed
- Lifetime session (in seconds)
- $maxLifetimeSessionCookie : mixed
- Specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means 'until the browser is closed.' How much time can someone be logged in to the browser. Defaults to 0.
- $PERMITTED_BY_ADVANCED_PERMISSION : mixed
- Permitted by advanced permission.
- $PERMITTED_BY_PRIVATE_FIELD : mixed
- Permitted by private field.
- $PERMITTED_BY_RECORD_HIERARCHY : mixed
- Permitted by record hierarchy.
- $PERMITTED_BY_ROLES : mixed
- Permitted by roles.
- $PERMITTED_BY_SHARED_OWNERS : mixed
- Permitted by shared owners.
- $PERMITTED_BY_SHARING : mixed
- Permitted by sharing.
- $permittedModulesByCreatorField : mixed
- List of modules to which access is based on the record creation.
- $permittedWriteAccessByCreatorField : mixed
- Permission level access based on the record creation
- $proxyConnection : mixed
- Do you want all connections to be made using a proxy?
- $proxyHost : mixed
- Proxy host
- $proxyLogin : mixed
- Proxy login
- $proxyPassword : mixed
- Proxy password
- $proxyPort : mixed
- Proxy port
- $proxyProtocol : mixed
- Proxy protocol: http, https, tcp
- $purifierAllowedDomains : mixed
- List of allowed domains for fields with HTML support
- $RESET_LOGIN_PASSWORD : mixed
- Possible to reset the password while logging in (true/false)
- $SHOW_MY_PREFERENCES : mixed
- Show my preferences
- $USER_AUTHY_MODE : mixed
- User authentication mode.
- $USER_ENCRYPT_PASSWORD_COST : mixed
- Password encrypt algorithmic cost. Numeric values - we recommend values greater than 10.
- $verifyRefererHeader : mixed
- Verify referer header
- $whitelistIp2fa : mixed
- IP address whitelisting.
Properties
$allowedConnectDomains
Allowed domains which can be loaded using script interfaces.
public
static mixed
$allowedConnectDomains
= []
CSP: connect-src.
$allowedDomainsLoadInFrame
Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
public
static mixed
$allowedDomainsLoadInFrame
= []
CSP: frame-src.
$allowedFormDomains
Allowed domains which can be used as the target of a form submissions from a given context, used in CSP.
public
static mixed
$allowedFormDomains
= ['https://www.paypal.com']
$allowedFrameDomains
Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed> or <applet> and validate referer.
public
static mixed
$allowedFrameDomains
= []
CSP: frame-ancestors.
$allowedImageDomains
Allowed domains for loading images, used in CSP.
public
static mixed
$allowedImageDomains
= ['*.tile.openstreetmap.org']
$allowedScriptDomains
Allowed domains for loading script, used in CSP.
public
static mixed
$allowedScriptDomains
= []
$apiLifetimeSessionCreate
Maximum session lifetime from the time it was created (in minutes)
public
static mixed
$apiLifetimeSessionCreate
= 1440
$apiLifetimeSessionUpdate
Maximum session lifetime since the last modification (in minutes)
public
static mixed
$apiLifetimeSessionUpdate
= 240
$askAdminAboutVisitPurpose
public
static bool
$askAdminAboutVisitPurpose
= true
Ask admin about visit purpose
$askAdminAboutVisitSwitchUsers
public
static bool
$askAdminAboutVisitSwitchUsers
= true
Ask admin about switch users purpose
$askSuperUserAboutVisitPurpose
public
static bool
$askSuperUserAboutVisitPurpose
= true
Ask super user about visit purpose, only for the settings part
$CACHE_LIFETIME_SENSIOLABS_SECURITY_CHECKER
Cache lifetime for SensioLabs security checker.
public
static mixed
$CACHE_LIFETIME_SENSIOLABS_SECURITY_CHECKER
= 3600
$CACHING_PERMISSION_TO_RECORD
Configuration of the permission mechanism on records list.
public
static mixed
$CACHING_PERMISSION_TO_RECORD
= false
true - Permissions based on the users column in vtiger_crmentity. Permissions are not verified in real time. They are updated via cron. We do not recommend using this option in production environments. false - Permissions based on adding tables with permissions to query (old mechanism).
$CHANGE_LOGIN_PASSWORD
Changing the settings by the user is possible true/false
public
static mixed
$CHANGE_LOGIN_PASSWORD
= true
$cookieForceHttpOnly
Force the use of https only for cookie.
public
static mixed
$cookieForceHttpOnly
= true
Values: true, false, null
$cookieSameSite
Same-site cookie attribute allows a web application to advise the browser that cookies should only be sent if the request originates from the website the cookie came from.
public
static mixed
$cookieSameSite
= 'Strict'
Values: None, Lax, Strict
$cspHeaderActive
HTTP Content Security Policy response header allows website administrators to control resources the user agent is allowed to load for a given page
public
static mixed
$cspHeaderActive
= true
$cspHeaderTokenTime
HTTP Content Security Policy time interval for generating a new nonce token
public
static mixed
$cspHeaderTokenTime
= '5 minutes'
$csrfActive
Enable CSRF protection
public
static mixed
$csrfActive
= true
$csrfFrameBreaker
Enable verified frame protection, used in CSRF
public
static mixed
$csrfFrameBreaker
= true
$csrfFrameBreakerWindow
Which window should be verified? It is used to check if the system is loaded in the frame, used in CSRF.
public
static mixed
$csrfFrameBreakerWindow
= 'top'
$csrfLifetimeToken
Default expire time of CSRF token in seconds
public
static mixed
$csrfLifetimeToken
= 28800
$EMAIL_FIELD_RESTRICTED_DOMAINS_ACTIVE
Restricted domains allow you to block saving an email address from a given domain in the system.
public
static mixed
$EMAIL_FIELD_RESTRICTED_DOMAINS_ACTIVE
= false
Restricted domains work only for email address type fields.
$EMAIL_FIELD_RESTRICTED_DOMAINS_ALLOWED
List of modules where restricted domains are enabled, if empty it will be enabled everywhere.
public
static mixed
$EMAIL_FIELD_RESTRICTED_DOMAINS_ALLOWED
= []
$EMAIL_FIELD_RESTRICTED_DOMAINS_EXCLUDED
List of modules excluded from restricted domains validation.
public
static mixed
$EMAIL_FIELD_RESTRICTED_DOMAINS_EXCLUDED
= ['OSSEmployees', 'Users']
$EMAIL_FIELD_RESTRICTED_DOMAINS_VALUES
Restricted domains
public
static mixed
$EMAIL_FIELD_RESTRICTED_DOMAINS_VALUES
= []
$fieldsReferencesDependent
Interdependent reference fields
public
static mixed
$fieldsReferencesDependent
= false
$forceHttpsRedirection
Force site access to always occur under SSL (https) for selected areas. You will not be able to access selected areas under non-ssl. Note, you must have SSL enabled on your server to utilise this option.
public
static mixed
$forceHttpsRedirection
= false
$forceUrlRedirection
Redirect to proper url when wrong url is entered.
public
static mixed
$forceUrlRedirection
= true
$generallyAllowedDomains
Generally allowed domains, used in CSP.
public
static mixed
$generallyAllowedDomains
= []
$hpkpKeysHeader
HTTP Public-Key-Pins (HPKP) pin-sha256 For HPKP to work properly at least 2 keys are needed.
public
static mixed
$hpkpKeysHeader
= []
https://scotthelme.co.uk/hpkp-http-public-key-pinning/, https://sekurak.pl/mechanizm-http-public-key-pinning/.
$LOGIN_PAGE_REMEMBER_CREDENTIALS
Remember user credentials
public
static mixed
$LOGIN_PAGE_REMEMBER_CREDENTIALS
= false
$loginSessionRegenerate
Update the current session id with a newly generated one after login and logout
public
static mixed
$loginSessionRegenerate
= true
$maxLifetimeSession
Lifetime session (in seconds)
public
static mixed
$maxLifetimeSession
= 900
$maxLifetimeSessionCookie
Specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means 'until the browser is closed.' How much time can someone be logged in to the browser. Defaults to 0.
public
static mixed
$maxLifetimeSessionCookie
= 0
$PERMITTED_BY_ADVANCED_PERMISSION
Permitted by advanced permission.
public
static mixed
$PERMITTED_BY_ADVANCED_PERMISSION
= true
$PERMITTED_BY_PRIVATE_FIELD
Permitted by private field.
public
static mixed
$PERMITTED_BY_PRIVATE_FIELD
= true
$PERMITTED_BY_RECORD_HIERARCHY
Permitted by record hierarchy.
public
static mixed
$PERMITTED_BY_RECORD_HIERARCHY
= true
$PERMITTED_BY_ROLES
Permitted by roles.
public
static mixed
$PERMITTED_BY_ROLES
= true
$PERMITTED_BY_SHARED_OWNERS
Permitted by shared owners.
public
static mixed
$PERMITTED_BY_SHARED_OWNERS
= true
$PERMITTED_BY_SHARING
Permitted by sharing.
public
static mixed
$PERMITTED_BY_SHARING
= true
$permittedModulesByCreatorField
List of modules to which access is based on the record creation.
public
static mixed
$permittedModulesByCreatorField
= []
$permittedWriteAccessByCreatorField
Permission level access based on the record creation
public
static mixed
$permittedWriteAccessByCreatorField
= false
$proxyConnection
Do you want all connections to be made using a proxy?
public
static mixed
$proxyConnection
= false
$proxyHost
Proxy host
public
static mixed
$proxyHost
= ''
$proxyLogin
Proxy login
public
static mixed
$proxyLogin
= ''
$proxyPassword
Proxy password
public
static mixed
$proxyPassword
= ''
$proxyPort
Proxy port
public
static mixed
$proxyPort
= 0
$proxyProtocol
Proxy protocol: http, https, tcp
public
static mixed
$proxyProtocol
= ''
$purifierAllowedDomains
List of allowed domains for fields with HTML support
public
static mixed
$purifierAllowedDomains
= []
$RESET_LOGIN_PASSWORD
Possible to reset the password while logging in (true/false)
public
static mixed
$RESET_LOGIN_PASSWORD
= false
$SHOW_MY_PREFERENCES
Show my preferences
public
static mixed
$SHOW_MY_PREFERENCES
= true
$USER_AUTHY_MODE
User authentication mode.
public
static mixed
$USER_AUTHY_MODE
= 'TOTP_OPTIONAL'
Tags
$USER_ENCRYPT_PASSWORD_COST
Password encrypt algorithmic cost. Numeric values - we recommend values greater than 10.
public
static mixed
$USER_ENCRYPT_PASSWORD_COST
= 10
The greater the value, the longer it takes to encrypt the password.
$verifyRefererHeader
Verify referer header
public
static mixed
$verifyRefererHeader
= true
$whitelistIp2fa
IP address whitelisting.
public
static mixed
$whitelistIp2fa
= []
Allow access without 2FA.