You're looking at an older version of Totara Learn.

Please see Totara 14 help for the latest version.

All pages




Search

HTTPS encrypts the user’s login data, so it’s difficult to detect a user’s username and password on the network. You need to enable HTTPS on your server before you turn on this setting, or you will be locked out of your site.

Every web server has a different method for enabling HTTPS, so you should check the documentation for your web server.

The HTTP security page has the following options:

Setting

Description

Notes

Use HTTPS for logins 

This setting allows you to use HTTPS only for logins, reverting to HTTP afterwards. This can be useful for general speed whilst ensuring secure login.

It is important to be cautious and remember that this setting requires HTTPS to be specifically enabled on the web server. If it is not then you could lock yourself out of the site.

Secure cookies only

If server is accepting only HTTPS connections it is recommended to enable sending of secure cookies. If enabled please make sure that web server is not accepting http:// or set up permanent redirection to https:// address. When wwwroot address does not start with https:// this setting is turned off automatically.

-
Only http cookies

Enables new PHP 5.2.0 feature. Browsers are instructed to send cookie with real http requests only, cookies should not be accessible by scripting languages. This is not supported in all browsers and it may not be fully compatible with current code. It helps to prevent some types of XSS attacks.

-
Strict transport security

When enabled browsers are instructed to always use https:// protocol when accessing the server and users cannot ignore SSL negotiation warnings.

Please note that if enabled browsers will remember this setting for six months and will prevent access via http:// even if this setting is later disabled.
Secure referrers

When enabled browsers are instructed to always use https:// protocol when accessing the server and users cannot ignore SSL negotiation warnings.

Please note that if enabled browsers will remember this setting for six months and will prevent access via http:// even if this setting is later disabled.Strict transport security.
Allow frame embedding

Allow embedding of this site in frames on external sites. Enabling of this feature is not recommended for security reasons.

-
Permitted cross domain

Allow embedding of this site in frames on external sites. Enabling of this feature is not recommended for security reasons.

The available options are:

  • Default: Means that no rules are enforced through the site settings and the web client just uses default settings that might be configured outside the site.
  • None: Browsers are instructed to prevent embedding of content from this server in external Flash or PDF files.
  • Master-only: The policies can be defined in main crossdomain.xml file.
-
Prevent password autocompletion on login form

If set to none browsers are instructed to prevent embedding of content from this server in external Flash or PDF files. If set to master-only the policies can be defined in main crossdomain.xml file.

-
Related pages

Provide feedback about this page using the link in the bottom right of this page. 

Still have questions? Why not post them in the forums of the Totara Community?