Added details of email expiry configuration

16/umbraco-cms/reference/configuration/globalsettings.md

@@ -39,7 +39,8 @@ The following snippet contains all the available options, with default values, a
         "DeliveryMethod": "Network",
         "PickupDirectoryLocation": "",
         "Username": "person@umbraco.dk",
-        "Password": "SuperSecretPassword"
+        "Password": "SuperSecretPassword",
+        "EmailExpiration": null,
       },
       "DatabaseServerRegistrar": {
         "WaitTimeBetweenCalls": "00:01:00",
@@ -65,99 +66,99 @@ In the root level section, that is those without a separate sub section like SMT
 
 ### Reserved urls
 
-Key: `ReservedUrls`  
+Key: `ReservedUrls`
 Type: `string` (default: `~/.well-known,`)
 
 A comma-separated list of files to be left alone by Umbraco, these files will be served, and the Umbraco request pipeline will not be triggered.
 
 ### Reserved paths
 
-Key: `ReservedPaths`  
+Key: `ReservedPaths`
 Type: `string` (default: `~/app_plugins/,~/install/,~/mini-profiler-resources/,~/umbraco/,`)
 
 A comma-separated list of all the folders in your directory to be left alone by Umbraco. If you have folders with custom files, add them to this setting to make sure Umbraco leaves them alone.
 
 {% hint style="warning" %}
-Adding additional values to the Reserves URLs and Reserved Paths will overwrite default/current values. This causes performance issues as well. 
+Adding additional values to the Reserves URLs and Reserved Paths will overwrite default/current values. This causes performance issues as well.
 {% endhint %}
 
 ### Timeout
 
-Key: `TimeOut`  
+Key: `TimeOut`
 Type: `string` (default: `00:20:00`)
 
 Configure the session timeout to determine how much time without a request being made can pass before the user is required to log in again. The session timeout format needs to be set as `HH:MM:SS`. Any activity within the backoffice will reset the timer.
 
 {% hint style="info" %}
-Long session timeouts raise data exposure and unauthorized access risks. Thus, it's vital to establish a reasonable timeout to mitigate security risks. 
+Long session timeouts raise data exposure and unauthorized access risks. Thus, it's vital to establish a reasonable timeout to mitigate security risks.
 {% endhint %}
 
 ### Default UI language
 
-Key: `DefaultUILanguage`  
+Key: `DefaultUILanguage`
 Type: `string` (default: `en-US`)
 
 The default language to use in the backoffice if a user isn't explicitly assigned one.
 
 ### Hide top level nodes from path
 
-Key: `HideTopLevelNodeFromPath`  
-Type: `bool` (default: `true`) 
+Key: `HideTopLevelNodeFromPath`
+Type: `bool` (default: `true`)
 
 If you are running multiple sites, you don't want the top level node in your URL and can disable it with this setting.
 
 ### Use https
 
-Key: `UseHttps`  
+Key: `UseHttps`
 Type: `bool` (default: `false`)
 
 Makes sure that all of the requests in the backoffice are called over HTTPS instead of HTTP when set to true.
 
 ### Version check period
 
-Key: `VersionCheckPeriod`  
+Key: `VersionCheckPeriod`
 Type: `int` (default: `7`)
 
 When this value is set above 0, the backoffice will check for a new version of Umbraco every 'x' number of days where 'x' is the value defined for this setting. Set this value to 0 to never check for a new version.
 
 ### Icons path
 
-Key: `IconsPath`  
+Key: `IconsPath`
 Type: `string` (default: `umbraco/assets/icons`)
 
 By adding this value you can specify a new/different folder for storing your icon resources. It's important to be aware of .NET Core's limitations regarding serving static file content. By default, static content will only be served from the `wwwroot` folder.
 
 ### Umbraco CSS path
 
-Key: `UmbracoCssPath`  
+Key: `UmbracoCssPath`
 Type: `string` (default: `~/css`)
 
 By adding this, you can store CSS files in a different folder and still edit them in Umbraco. .NET Core only serves static files from the `wwwroot` folder by default.  For more info see [Extending filesystem](../../extending/filesystemproviders/).
 
 ### Umbraco scripts path
 
-Key: `UmbracoScriptsPath`  
+Key: `UmbracoScriptsPath`
 Type: `string` (default: `~/scripts`)
 
 By adding this, you can store script/JavaScript files in a different folder and still edit them in Umbraco. .NET Core only serves static files from the `wwwroot` folder by default. For more info see [Extending filesystem](../../extending/filesystemproviders/).
 
 ### Umbraco media path
 
-Key: `UmbracoMediaPath`  
+Key: `UmbracoMediaPath`
 Type: `string` (default: `~/media`)
 
 By adding this, you can store media files in a different folder and still edit them in Umbraco. .NET Core only serves static files from the `wwwroot` folder by default. For more info see [Extending filesystem](../../extending/filesystemproviders/).
 
 ### Umbraco media physical root path
 
-Key: `UmbracoMediaPhysicalRootPath`  
+Key: `UmbracoMediaPhysicalRootPath`
 Type: `string` (default: `~/media`)
 
 By adding this you can specify a new/different folder for storing your media files elsewhere on the server. Unlike `UmbracoMediaPath`, this does not change the relative path that media is served from (e.g. /media) but allows for files to be stored **outside** of the wwwroot folder. Both relative paths (../../Shared/Media) and absolute server paths (X:/Shared/Media) are supported. For more info see [Extending filesystem](../../extending/filesystemproviders/).
 
 ### Install missing database
 
-Key: `InstallMissingDatabase`  
+Key: `InstallMissingDatabase`
 Type: `bool` (default: `false`)
 
 This is not a setting that commonly needs to be configured.
@@ -166,7 +167,7 @@ If enabled Umbraco will try to automatically install the database when it's miss
 
 ### Disable election for single server
 
-Key: `DisableElectionForSingleServer`  
+Key: `DisableElectionForSingleServer`
 Type: `bool` (default: `false`)
 
 This is not a setting that commonly needs to be configured.
@@ -175,7 +176,7 @@ This value is primarily used on Umbraco Cloud for a small startup performance op
 
 ### Database factory version
 
-Key: `DatabaseFactoryServerVersion`  
+Key: `DatabaseFactoryServerVersion`
 Type: `bool` (default: `false`)
 
 This is not a setting that commonly needs to be configured.
@@ -184,8 +185,8 @@ This setting is used to specify which sql server version that the database is ru
 
 ### Main dom lock
 
-Key: `MainDomLock`  
-Type: `string` 
+Key: `MainDomLock`
+Type: `string`
 
 Specifies the implementation of IMainDomLock to be used.
 
@@ -201,7 +202,7 @@ The default implementation unless configured otherwise is `FileSystemMainDomLock
 
 ### Main dom key discriminator
 
-Key: `MainDomKeyDiscriminator`  
+Key: `MainDomKeyDiscriminator`
 Type: `string`
 
 For advanced use cases e.g. deployment slot swapping on Azure app services.
@@ -220,14 +221,14 @@ It's worth noting that during the swap operation there is a period where both in
 
 ### Main dom release signal polling interval
 
-Key: `MainDomReleaseSignalPollingInterval`  
+Key: `MainDomReleaseSignalPollingInterval`
 Type: `string`
 
 Gets or sets the duration (in milliseconds) for which the MainDomLock release signal polling task should sleep. The default value is 2000ms.
 
 ### Id
 
-Key: `Id`  
+Key: `Id`
 Type: `string`
 
 This setting doesn't need to be configured.
@@ -236,7 +237,7 @@ This setting contains a unique ID used to identify your project, and is populate
 
 ### No nodes view path
 
-Key: `NoNodesViewPath`  
+Key: `NoNodesViewPath`
 Type: `string` (default: `~/umbraco/UmbracoWebsite/NoNodes.cshtml`)
 
 This setting specifies what view to render when there is no content on the site.
@@ -285,20 +286,24 @@ Specifies what delivery method should be used for emails, most of the time you'd
 
 If you're using the `"SpecifiedPickupDirectory"` option on as the delivery method, this setting allows you to specify what folder the emails should be saved to.
 
+### Email expiration
+
+If set to a TimeSpan format, this value will be used to add an `Expires` heading to emails sent from Umbraco. The configured expiry will be used unless a specific value is provided (for example, password reset and user invites have specific settings and defaults).
+
 ## Database server registrar settings
 
 It's unlikely that you will have to change these settings unless you're using a load balanced setup.
 
 ### Wait time between calls
 
-Key: `DatabaseServerRegistrar.WaitTimeBetweenCalls`  
+Key: `DatabaseServerRegistrar.WaitTimeBetweenCalls`
 Type: `string` (default: `00:01:00`)
 
 Sets a value for the amount of time to wait between calls to the database on the background thread.
 
 ### Stale server timeout
 
-Key: `DatabaseServerRegistrar.StaleServerTimeout`  
+Key: `DatabaseServerRegistrar.StaleServerTimeout`
 Type: `string` (default: `00:02:00`)
 
 Sets a value for the time span to wait before considering a server stale, after it has last been accessed.
@@ -309,36 +314,36 @@ It's unlikely that you will have change these settings, unless you're using a lo
 
 ### Max processing instruction
 
-Key: `DatabaseServerMessenger.MaxProcessingInstructionCount`  
+Key: `DatabaseServerMessenger.MaxProcessingInstructionCount`
 Type: `string` (default: `1000`)
 
 Sets a value for the maximum number of instructions that can be processed at startup; otherwise the server cold-boots (rebuilds its caches).
 
 ### Time to retain instructions
 
-Key: `DatabaseServerMessenger.TimeToRetainInstructions`  
+Key: `DatabaseServerMessenger.TimeToRetainInstructions`
 Type: `string` (default: `2.00:00:00`)
 
 Sets a value for the time to keep instructions in the database; records older than this number will be pruned.
 
 ### Time between sync operations
 
-Key: `DatabaseServerMessenger.TimeBetweenSyncOperations`  
+Key: `DatabaseServerMessenger.TimeBetweenSyncOperations`
 Type: `string` (default: `00:00:05`)
 
 Sets a value for the time to wait between each sync operation.
 
 ### Time between prune operations
 
-Key: `DatabaseServerMessenger.TimeBetweenPruneOperations`  
+Key: `DatabaseServerMessenger.TimeBetweenPruneOperations`
 Type: `string` (default: `00:01:00`)
 
 Sets a value for the time to wait between each prune operation.
 
 ### Distributed Locking Mechanism
 
-Key: `DistributedLockingMechanism`  
-Type: `string` 
+Key: `DistributedLockingMechanism`
+Type: `string`
 
 This is not a setting that commonly needs to be configured.
 
@@ -351,7 +356,7 @@ Valid values:
 
 ### Distributed Read Lock DefaultTimeout
 
-Key: `DistributedLockingReadLockDefaultTimeout`  
+Key: `DistributedLockingReadLockDefaultTimeout`
 Type: `string` (default: `00:01:00`)
 
 Gets or sets a value representing the maximum time to wait whilst attempting to obtain a distributed read lock.
@@ -360,7 +365,7 @@ The default value is 60 seconds.
 
 ### Distributed Write Lock DefaultTimeout
 
-Key: `DistributedLockingWriteLockDefaultTimeout`  
+Key: `DistributedLockingWriteLockDefaultTimeout`
 Type: `string` (default: `00:00:05`)
 
 Gets or sets a value representing the maximum time to wait whilst attempting to obtain a distributed write lock.

16/umbraco-cms/reference/configuration/securitysettings.md

@@ -43,6 +43,8 @@ A full configuration with all default values can be seen here:
       "AllowConcurrentLogins": false,
       "UserDefaultFailedLoginDurationInMilliseconds": 1000,
       "UserMinimumFailedLoginDurationInMilliseconds": 250,
+      "PasswordResetEmailExpiry": "01:00:00",
+      "UserInviteEmailExpiry": "3.00:00:00"
     }
   }
 }
@@ -106,6 +108,14 @@ Umbraco provides protection from user enumeration attacks looking to identify va
 
 The `UserDefaultFailedLoginDurationInMilliseconds` can be used to provide a more realistic expected time for a successful login if the default isn't appropriate. This will be used before actual successful logins are detected. `UserMinimumFailedLoginDurationInMilliseconds` provides a minimum duration for a failed login.
 
+### Password reset email expiry
+
+Defines the expiry for the password reset email. When the email is sent, an `Expiry` header will be added that uses the value configured here. The default value is 1 hour.
+
+### User invite email expiry
+
+Defines the expiry for the user invite email. When the email is sent, an `Expiry` header will be added that uses the value configured here. The default value is 3 days.
+
 ## User password settings
 
 This section lets you define the password rules for users.