Security settings
Allow persistent logins:
Determines whether users can autologin when they visit the board.
Yes No
Persistent login key expiration length (in days):
Number of days after which persistent login keys are removed or zero to disable.
0 Days
Session IP validation:
Determines how much of the users IP is used to validate a session; All compares the complete address, A.B.C the first x.x.x, A.B the first x.x, None disables checking. On IPv6 addresses A.B.C compares the first 4 blocks and A.B the first 3 blocks.
All A.B.C A.B None
Validate browser:
Enables browser validation for each session improving security.
Yes No
Validate X_FORWARDED_FOR header:
Sessions will only be continued if the sent X_FORWARDED_FOR header equals the one sent with the previous request. Bans will be checked against IPs in X_FORWARDED_FOR too.
Yes No
Validate Referer:
If enabled, the referer of POST requests will be checked against the host/script path settings. This may cause issues with boards using several domains and or external logins.
Also validate path
Only validate host None
Check IP against DNS Blackhole List:
If enabled the user’s IP address is checked against the following DNSBL services on registration and posting: spamcop.net and
http://www.spamhaus.org. This lookup may take a while, depending on the server’s configuration. If slowdowns are experienced or too many false positives reported it is recommended to disable this check.
Yes
NoCheck e-mail domain for valid MX record:
If enabled, the e-mail domain provided on registration and profile changes is checked for a valid MX record.
Yes No
Password length:
Minimum and maximum number of characters in passwords.
6 Min 100 Max
Password complexity:
Determines how complex a password needs to be when set or altered, subsequent options include the previous ones.
No requirements
Force password change:
Require user to change their password after a set number of days. Setting this value to 0 disables this behaviour.
0 Days
Maximum number of login attempts per username:
The number of login attempts allowed for a single account before the anti-spambot task is triggered. Enter 0 to prevent the anti-spambot task from being triggered for distinct user accounts.
3
Maximum number of login attempts per IP address:
The threshold of login attempts allowed from a single IP address before an anti-spambot task is triggered. Enter 0 to prevent the anti-spambot task from being triggered by IP addresses.
50
IP address login attempt expiration time:
Login attempts expire after this period.
21600 Seconds
Limit login attempts by X_FORWARDED_FOR header:
Instead of limiting login attempts by IP address they are limited by X_FORWARDED_FOR values.
Warning: Only enable this if you are operating a proxy server that sets X_FORWARDED_FOR to trustworthy values.
Yes
NoAllow php in templates:
If this option is enabled, PHP and INCLUDEPHP statements will be recognised and parsed in templates.
Yes
NoMaximum time to submit forms:
The time a user has to submit a form. Use -1 to disable. Note that a form might become invalid if the session expires, regardless of this setting.
7200 Seconds
Tie forms to guest sessions:
If enabled, the form token issued to guests will be session-exclusive. This can cause problems with some ISPs.
Yes No