Security & Display

You can find this section in HostBill Admin → Settings → General Settings → Other → Security & Display


Table of contents

Overview


Security and Display section controls basic client login options and URLs settings.

Logout inactive clients after

This option controls when to log out inactive clients.

Logout inactive staff after

This option controls when to log out inactive staff members. Note that this behaviour is also affected by the php.ini setting session.gc_maxilifetime

Records to display per page

This option controls how many records will be displayed when viewing Clients, Orders, Invoices etc. It affects both admin and client area.

Password restore method

This option allows to choose password restore method:

  • Email - send random password over email after confirming password change
  • Manual - request entering new password manually after confirming password change

Captcha verify client login

You can enable captcha verification each time the client attempts to login to your client area.

Downloads extensions

This option allows to choose downloads extensions, client files and notes in admin portal.

Downloads Ruleset

In this section there are two options available:

  • Allow - when "allow" is selected, all extensions from the list above will be allowed, other rejected
  • Reject - when "reject" is selected, all extensions other than from the list above (including no extension) will be allowed. Warning: the Reject setting is potentially dangerous if executable/script is uploaded; use at your own risk.

Multi-factor authentication

This option allows to force multi-factor authentication. You can choose to:

  • Enable "Remember my device for N days" option. Remember for X days
  • Enforce Multi-factor auth for clients
  • Enforce Multi-factor auth for staff

When enabled all HostBill generated/parsed links will use HTTPS protocol.

Verify Session IP address

When enabled, customer/admin IP will be verified against original IP that was used to login. This is to prevent from hijacking session data on servers with weak security configuration. If your customers IPs change often they may be logged out because of this option enabled. 

Verify Login CSRF

When enabled, valid security token is required on login/logout. Enabling this option will break login from external pages and some older custom themes.

Verify Language change CSRF

When enabled, valid security token is required on language change. Enabling this will break language changes from external pages and some older/custom themes.

Verify Host

When enabled, host header will be only accepted using only known hosts (HostBill installation address and brand urls).

Additional Hosts

When Verify Host option is enabled, here you can specify a comma-separated list of additional known hosts that should be accepted.

Ban client IP after

You can decide to ban client IP address after a pre-defined number of unsuccessful login attempts. 

Ban admin IP after

You can decide to ban admin IP address after a pre-defined number of unsuccessful login attempts. 

Trusted proxies 

If you use loadbalancer, proxy, NAT, Cloudflare etc. enter IP address/subnets that your traffic will be forwarded from to get real IP address. The list should be separated by a comma, for example: 192.168.1.10, 172.10.10.0/24

SEO URLs settings

You can choose which URL format should be used:

  • Default - eg.: https://yourdomain.com/index.php?/cart/
  • Basic - eg.: https://yourdomain.com/index.php/cart/
  • Advanced - eg.: https://yourdomain.com/?/cart/
  • Apache Mod Rewrite - eg.: https://yourdomain.com/cart/

Allow admin password reset

This option lets you decide whether or not to allow staff to reset their password:

  • Yes, staff can reset password on login page
  • No, staff cannot reset their passwords on login page