Additional WebClient! Settings
This section allows an administrator to fine-tune rate-limiting settings and configure different rate limits for Global, UI, API, and public resources.
In addition, several advanced security settings are grouped behind an optional "Enable" toggle switch. Each setting is explained below:
Allowed Hosts: A list of hosts, written as
https://host_nameorhttps://host_name:port, that this virtual site's WebClient! is allowed to be served on. This helps prevent host header attacks and restricts the domains from which the WebClient! can be accessed.SSL Redirect: When enabled, the WebClient! protocol handler will automatically redirect all non-SSL (HTTP) requests to their equivalent TLS-enabled (HTTPS) URL, ensuring all traffic is encrypted.
STS Seconds: Sets the duration (in seconds) for which browsers should enforce HTTPS-only access to your site, via the HTTP Strict Transport Security (HSTS) header. This is a critical security feature to prevent downgrade attacks.
NOTE
Learn more: RFC 6797 - HTTP Strict Transport Security (HSTS)
- STS Preload: When enabled, signals browsers to include your site in their HSTS preload lists, making it even harder for users to access your site insecurely.
NOTE
For details, see the HSTS Preload List Submission Guide.
STS Include Subdomains: When enabled, applies HSTS protection to all subdomains of your site, not just the main domain.
Frame Deny: When enabled, prevents your site from being embedded in an iframe, protecting against clickjacking attacks. Unlocks the Custom Frame Options field for advanced configuration.
Content-Type No-Sniff: Instructs browsers not to try to guess ("sniff") the MIME type of content, reducing the risk of drive-by downloads and content-type confusion attacks.
Browser XSS Filter: Enables the browser's built-in cross-site scripting (XSS) filter, helping to block some types of XSS attacks.
NOTE
XSS is a major web security risk. Admins should understand XSS and how to mitigate it. See the OWASP XSS Guide.
- Content Security Policy (CSP): Allows you to define a Content Security Policy header, which restricts the sources from which content (scripts, styles, images, etc.) can be loaded. CSP is a powerful defense against XSS and other injection attacks.
NOTE
Mastering CSP is essential for modern web security. See the MDN CSP documentation and the CSP Specification.
- Referrer Policy: Controls how much referrer information is sent with requests from your site. The default,
strict-origin-when-cross-origin, is a good balance of privacy and compatibility.
NOTE
See the MDN Referrer Policy documentation.
Feature Policy: Allows you to control which browser features (like geolocation, camera, microphone, etc.) are available to your site. Now standardized as Permissions Policy.
Don't Redirect IPv4 Host Names: When enabled, prevents the server from redirecting requests made directly to IPv4 addresses, which can be useful in certain network configurations or for troubleshooting.
TIP
The settings described on this page assume a solid understanding of modern web security concepts and standards. If you are not already familiar with these topics, we strongly recommend consulting the linked references and industry best practices before making changes.
WARNING
Many of these settings are critical for web security. Syncplify Server! administrators should master the concepts of HSTS, XSS filtering, and Content Security Policy (CSP) to ensure robust protection for their users and data.