Syncplify.me Server v8

Appearance

Additional WebClient! Settings

This section allows an administrator to fine-tune rate-limiting settings and configure different rate limits for Global, UI, API, and public resources.

In addition, several advanced security settings are grouped behind an optional "Enable" toggle switch. Each setting is explained below:

  • Allowed Hosts: A list of hosts, written as https://host_name or https://host_name:port, that this virtual site's WebClient! is allowed to be served on. This helps prevent host header attacks and restricts the domains from which the WebClient! can be accessed.

  • SSL Redirect: When enabled, the WebClient! protocol handler will automatically redirect all non-SSL (HTTP) requests to their equivalent TLS-enabled (HTTPS) URL, ensuring all traffic is encrypted.

  • STS Seconds: Sets the duration (in seconds) for which browsers should enforce HTTPS-only access to your site, via the HTTP Strict Transport Security (HSTS) header. This is a critical security feature to prevent downgrade attacks.

NOTE

Learn more: RFC 6797 - HTTP Strict Transport Security (HSTS)

  • STS Preload: When enabled, signals browsers to include your site in their HSTS preload lists, making it even harder for users to access your site insecurely.

NOTE

For details, see the HSTS Preload List Submission Guide.

  • STS Include Subdomains: When enabled, applies HSTS protection to all subdomains of your site, not just the main domain.

  • Frame Deny: When enabled, prevents your site from being embedded in an iframe, protecting against clickjacking attacks. Unlocks the Custom Frame Options field for advanced configuration.

  • Content-Type No-Sniff: Instructs browsers not to try to guess ("sniff") the MIME type of content, reducing the risk of drive-by downloads and content-type confusion attacks.

  • Browser XSS Filter: Enables the browser's built-in cross-site scripting (XSS) filter, helping to block some types of XSS attacks.

NOTE

XSS is a major web security risk. Admins should understand XSS and how to mitigate it. See the OWASP XSS Guide.

  • Content Security Policy (CSP): Allows you to define a Content Security Policy header, which restricts the sources from which content (scripts, styles, images, etc.) can be loaded. CSP is a powerful defense against XSS and other injection attacks.

NOTE

Mastering CSP is essential for modern web security. See the MDN CSP documentation and the CSP Specification.

  • Referrer Policy: Controls how much referrer information is sent with requests from your site. The default, strict-origin-when-cross-origin, is a good balance of privacy and compatibility.

NOTE

See the MDN Referrer Policy documentation.

  • Feature Policy: Allows you to control which browser features (like geolocation, camera, microphone, etc.) are available to your site. Now standardized as Permissions Policy.

  • Don't Redirect IPv4 Host Names: When enabled, prevents the server from redirecting requests made directly to IPv4 addresses, which can be useful in certain network configurations or for troubleshooting.

TIP

The settings described on this page assume a solid understanding of modern web security concepts and standards. If you are not already familiar with these topics, we strongly recommend consulting the linked references and industry best practices before making changes.

Custom Response Headers

The Custom Headers tab lets you define additional HTTP response headers that are injected into every response served by the WebClient! for this virtual site. Changes take effect immediately without a server restart.

Use this feature to:

  • Add cache-control directives (e.g. Cache-Control: no-cache, no-store, must-revalidate)
  • Set custom branding or environment labels (e.g. X-Environment: production)
  • Fulfill compliance requirements that mandate the presence of specific response headers

Adding a Header

Click Add New, enter the header name and its value in the dialog, then click Add Header. The header is saved immediately.

Deleting a Header

Click the trash icon next to any header row and confirm the deletion in the prompt.

CAUTION

Custom headers are injected into every response for this virtual site. Avoid duplicating or overriding headers that are already managed automatically by Syncplify Server! (such as Content-Type, Date, or security headers already controlled by the Additional Security tab). Doing so may cause unexpected behavior for WebClient! users.

NOTE

Header names are validated against RFC 7230 token rules and values containing line-break characters (CR, LF) are automatically rejected. This prevents HTTP response splitting vulnerabilities.

WARNING

Many of these settings are critical for web security. Syncplify Server! administrators should master the concepts of HSTS, XSS filtering, and Content Security Policy (CSP) to ensure robust protection for their users and data.