System wide security settings
Requirements towards security can vary greatly depending on the institution. Use the security settings to configure the necessary security level while taking the associated risk into account.
Force file download in folders: Select this security setting to always dowload files from folders and never open them directly in the browser. This prevents possible Cross-Site-Scripting attacks (XSS). When this feature is enabled all documents are downloaded as files and will not be displayed in the browser directly, including HTML documents. This behavior does not apply to the course element "single page".
Prevent embedding in frames: Select this security feature to prevent OpenOLAT from being loaded in a HTML frame or iFrame. By doing this possible Cross-Frame-Scripting attacks (XFS) will be prevented. If you enable this feature it is no longer possible to embedd OpenOLAT in an existing website using frames.
Block Wiki resource: Wiki configuration: Disable the option "Enable Wiki resource" to block the Wiki system-wide. The Wiki component is currently still vulnerable to cross-site scripting attacks (XSS). Therefore the XSS scanner can be activated additionally. This can lead to impairments in the Wiki functionality in OpenOLAT. If the XSS scanner is switched off, the Wiki can be used with the risk of an XSS attack. However, the Wiki component has automatic versioning, which makes it difficult for attackers to remain undetected.
