/
webserver.xml
82 lines (77 loc) · 2.65 KB
/
webserver.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "Admin_Guide.ent">
]>
<section id="admin.config.webserver">
<title>Webserver</title>
<variablelist>
<varlistentry>
<term>$g_session_save_path</term>
<listitem>
<para>Location where session files are stored.
The default is <emphasis>false</emphasis>, meaning
the session handler's default location will be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$g_session_validation</term>
<listitem>
<para>Use Session validation (defaults to <emphasis>ON</emphasis>)
</para>
<warning>
<para>Disabling this could be a potential security risk !
</para>
</warning>
</listitem>
</varlistentry>
<varlistentry>
<term>$g_form_security_validation</term>
<listitem>
<para>Form security validation, defaults to <emphasis>ON</emphasis>.
This protects against <ulink url="http://en.wikipedia.org/wiki/Cross-site_request_forgery">
Cross-Site Request Forgery</ulink>.
Some proxy servers may not correctly work with this option enabled
because they cache pages incorrectly.
</para>
<warning>
<para>Disabling this option is a security risk,
it is strongly recommended to leave it ON
</para>
</warning>
</listitem>
</varlistentry>
<varlistentry>
<term>$g_custom_headers</term>
<listitem>
<para>An array of custom headers to be sent with each page.
</para>
<para>For example, to allow your MantisBT installation to be
viewed in a frame in IE6 when the frameset is not at the
same hostname as the MantisBT install, you need to add a
P3P header. You could try something like
<programlisting>
$g_custom_headers = array( 'P3P: CP="CUR ADM"' );
</programlisting>
in your config file, but make sure to check that your policy
actually matches with what you are promising. See
<ulink url="http://msdn.microsoft.com/en-us/library/ms537343.aspx">
MSDN</ulink> for more information.
</para>
<para>Even though it is not recommended, you could also use
this setting to disable previously sent headers. For example,
assuming you didn't want to benefit from Content Security
Policy (CSP), you could set:
<programlisting>
$g_custom_headers = array( 'Content-Security-Policy:' );
</programlisting>
</para>
<warning>
<para>Disabling CSP is a security risk, it is strongly
recommended that you leave it as Mantis defines it.
</para>
</warning>
</listitem>
</varlistentry>
</variablelist>
</section>