From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 16 Dec 2014 13:28:48 +0100 Subject: Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests --- config/defaults.inc.php | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'config/defaults.inc.php') diff --git a/config/defaults.inc.php b/config/defaults.inc.php index e369608a2..5a5bffb5e 100644 --- a/config/defaults.inc.php +++ b/config/defaults.inc.php @@ -534,6 +534,28 @@ $config['email_dns_check'] = false; // Note: useful when SMTP server stores sent mail in user mailbox $config['no_save_sent_messages'] = false; +// Improve system security by using special URL with security token. +// This can be set to a number defining token length. Default: 16. +// Warning: This requires http server configuration. Sample: +// RewriteRule ^/roundcubemail/[a-f0-9]{16}/(.*) /roundcubemail/$1 [PT] +// Alias /roundcubemail /var/www/roundcubemail/ +// Note: Use assets_path to not prevent the browser from caching assets +$config['use_secure_urls'] = false; + +// Allows to define separate server/path for image/js/css files +// Warning: If the domain is different cross-domain access to some +// resources need to be allowed +// Sample: +// +// Header set Access-Control-Allow-Origin "*" +// +$config['assets_path'] = ''; + +// While assets_path is for the browser, assets_dir informs +// PHP code about the location of asset files in filesystem +$config['assets_dir'] = ''; + + // ---------------------------------- // PLUGINS // ---------------------------------- -- cgit v1.2.3