Security & Display
You can find this section in HostBill Admin → Settings → General Settings → Other → Security & Display
Logout inactive clients after
This option controls when to log out inactive clients.
Logout inactive staff after
This option controls when to log out inactive staff members. Note that this behaviour is also affected by the php.ini setting session.gc_maxilifetime
Records to display per page
This option controls how many records will be displayed when viewing Clients, Orders, Invoices etc. It affects both admin and client area.
Password restore method
This option allows to choose password restore method:
- Email - send random password over email after confirming password change
- Manual - request entering new password manually after confirming password change
Captcha verify client login
You can enable captcha verification each time the client attempts to login to your client area.
Downloads extensions
This option allows to choose downloads extensions, client files and notes in admin portal.
Downloads Ruleset
In this section there are two options available:
- Allow - when "allow" is selected, all extensions from the list above will be allowed, other rejected
- Reject - when "reject" is selected, all extensions other than from the list above (including no extension) will be allowed. Warning: the Reject setting is potentially dangerous if executable/script is uploaded; use at your own risk.
Multi-factor authentication
This option allows to force multi-factor authentication. You can choose to:
- Enable "Remember my device for N days" option. Remember for X days
- Enforce Multi-factor auth for clients
- Enforce Multi-factor auth for staff
Force HTTPS in links
When enabled all HostBill generated/parsed links will use HTTPS protocol.
Verify Session IP address
When enabled, customer/admin IP will be verified against original IP that was used to login. This is to prevent from hijacking session data on servers with weak security configuration. If your customers IPs change often they may be logged out because of this option enabled.
Verify Login CSRF
When enabled, valid security token is required on login/logout. Enabling this option will break login from external pages and some older custom themes.
Verify Language change CSRF
When enabled, valid security token is required on language change. Enabling this will break language changes from external pages and some older/custom themes.
Verify Host
When enabled, host header will be only accepted using only known hosts (HostBill installation address and brand urls).
Additional Hosts
When Verify Host option is enabled, here you can specify a comma-separated list of additional known hosts that should be accepted.
Ban client IP after
You can decide to ban client IP address after a pre-defined number of unsuccessful login attempts.
Ban admin IP after
You can decide to ban admin IP address after a pre-defined number of unsuccessful login attempts.
Trusted proxies
If you use loadbalancer, proxy, NAT, Cloudflare etc. enter IP address/subnets that your traffic will be forwarded from to get real IP address. The list should be separated by a comma, for example: 192.168.1.10, 172.10.10.0/24
SEO URLs settings
You can choose which URL format should be used:
- Default - eg.: https://yourdomain.com/index.php?/cart/
- Basic - eg.: https://yourdomain.com/index.php/cart/
- Advanced - eg.: https://yourdomain.com/?/cart/
- Apache Mod Rewrite - eg.: https://yourdomain.com/cart/
Allow admin password reset
This option lets you decide whether or not to allow staff to reset their password:
- Yes, staff can reset password on login page
- No, staff cannot reset their passwords on login page