Security Settings

Security Settings

To access the security settings panel click the "Settings" > "System Settings" link from the top menu. You will be shown a list with all the available settings for your installation. Find the "Security Settings" section and click the "View/Edit Settings" button or double click the row.

HSTS Policy

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers. More information can be found here.

ThinkCMS v4

The following settings are valid only for ThinkCMS v4 and are deprecated in newer versions.

Authentication Types

You can choose between Basic HTTP Authentication, Digest Access Authentication (recommended) and External Authentication if you want to secure the administration yourself. Selecting External Authentication will disable the Administrator users and permissions and all the users will be able to access all the features of the Site Manager. If you do not integrate another access control technique, any user from anywhere will be able to enter the SiteManager and update or delete content from your website.  Your website will be extremely vulnerable to attacks.

Differences and impact on security

The difference between Basic HTTP Authentication and Digest Access Authentication is in the way the password is sent to the server.  When using Basic HTTP Authentication, the password is being sent as plain text over the network, so anyone sniffing your network can easily get his hands on your username and password. On the other hand, when using Digest Access Authentication the server negotiates the credentials with your web browser, the password is sent encrypted and other security tokens are used by both your browser and the server. If you are concerned about the security of your site, and you most certainly should be, use this authentication type. It is more secure then the Basic Authentication and more secure then the other authentication solutions implemented in modern web applications.

If you feel that these authentication types are not enough for your SiteManager security, please consult with a ThinkWeb representative on implementing SSL certificates into the current security modules of the installation.


In the above login screen the text "SiteManager administration module, powered by th!nkcms!" is called realm. You can change this to whatever you want from the "Realm" field for the authentication type in use.

More info: Digest Access Authentication | Basic HTTP Authentication