Security Settings
The security settings within BranchCMS let you configure link security, password protect all pages and enable https site-wide.
To get to the security settings go to Settings and then Security.
Link Security
Add rel="noopener noreferrer" to links that open in a new window/tab (i.e. target="_blank")
Adds "noopener noreferrer" to the rel attribute value for the link if the target attribute is "_blank". This affects navigation links and content passed through the text2html filter. See Rich Text Editor settings to configure how links within the editor are handled.
This is a security feature that prevents the target="_blank" vulnerability. It is strongly recommended to leave this set to "Yes".
If the URL for the link is to content within your website then the "noopener noreferrer" values will not be added to the link.
Note that best practices are to not force links to open in a new window/tab.
The target="_blank" vulnerability has also been called Tabnabbing and it occurs when the attacker uses window.opener.location.assign() to replace the background tab with a malicious document.
When the rel attribute contains noopener then the new/other page cannot access your window object via window.opener. Internet Explorer and some other older browsers don't support rel="noopener" so you also need to use rel="noopener noreferrer". The "noreferrer" value for the rel attribute tells the browser to not collect any referrer information when the link is followed.
The noopener and noreferrer values do not affect SEO. The noreferrer value can affect analytics, which is why BranchCMS does not add that value to links within the same website.
Below are some resources to learn more about the target="_blank" vulnerablity.
- About rel=noopener - what problems does it solve - a good explanation of the vulnerabilty and what can be done about it.
- The performance benifits of rel=noopener
- The target="_blank" vulnerabilty by example
- What is the difference between "nofollow" and "noreferrer" link from SEO perspective?
- Performance and security of target=_blank links with rel=noopener
Password Protection
Entire public site is password protected
If this is set to "Yes" then the entire website will be password protected and visitors will have to log into the website in order to view any content.
SSL Certificates
Use the SSL settings if you have an SSL certificate configured for your website.
If you have an SSL certificate set up on your website then set the My site supports SSL setting to Yes. Once you make that change, more settings will show up to allow you to configure how the SSL certificate is applied to the website.
Set Entire public site is secure to force all pages on your website to use https.
Set Entire administration is secure to force the entire administration to use https.