To get to the security settings go to Settings and then Security.
Add rel="noopener noreferrer" to links that open in a new window/tab (i.e. target="_blank")
Adds "noopener noreferrer" to the rel attribute value for the link if the target attribute is "_blank". This affects navigation links and content passed through the text2html filter. See Rich Text Editor settings to configure how links within the editor are handled.
This is a security feature that prevents the target="_blank" vulnerability. It is strongly recommended to leave this set to "Yes".
If the URL for the link is to content within your website then the "noopener noreferrer" values will not be added to the link.
The target="_blank" vulnerability has also been called Tabnabbing and it occurs when the attacker uses window.opener.location.assign() to replace the background tab with a malicious document.
When the rel attribute contains noopener then the new/other page cannot access your window object via window.opener. Internet Explorer and some other older browsers don't support rel="noopener" so you also need to use rel="noopener noreferrer". The "noreferrer" value for the rel attribute tells the browser to not collect any referrer information when the link is followed.
Below are some resources to learn more about the target="_blank" vulnerablity.
- About rel=noopener - what problems does it solve - a good explanation of the vulnerabilty and what can be done about it.
- The performance benifits of rel=noopener
- The target="_blank" vulnerabilty by example
- What is the difference between "nofollow" and "noreferrer" link from SEO perspective?
- Performance and security of target=_blank links with rel=noopener
Entire public site is password protected
If this is set to "Yes" then the entire website will be password protected and visitors will have to log into the website in order to view any content.
Use the SSL settings if you have an SSL certificate configured for your website.
If you have an SSL certificate set up on your website then set the My site supports SSL setting to Yes. Once you make that change, more settings will show up to allow you to configure how the SSL certificate is applied to the website.
Set Entire public site is secure to force all pages on your website to use https.
Set Entire administration is secure to force the entire administration to use https.