Security

General

You can modify the following security settings at Control Panel > Security > Security for DSM browsing sessions:

• Logout timer (minutes): Users will be automatically logged out from DSM if they are inactive for the time period specified here. Enter any value from 1 to 65535.
• Enhance browser compatibility by skipping IP checking: If you access Synology NAS through an HTTP proxy and encounter random logouts, you can enable this option to skip IP checking.
• Improve protection against cross-site request forgery attacks: This option enhances the system's protection against cross-site scripting attacks. This option will take effect the next time you log into DSM.
• Improve security with HTTP Content Security Policy (CSP) header: This option enhances the system's security against cross-site scripting (XSS) attacks by allowing only data from trusted sources and restricting inline script execution.
• Do not allow DSM to be embedded with iFrame: You can enable this option to restrict other websites from embedding DSM into other web pages with iFrame, thus preventing certain types of attacks from malicious websites. To allow specific websites to embed DSM with iFrame, click Allowed websites, add websites, go to Control Panel > Login Portal > DSM > Domain, set up a customized domain, and tick Enabling HSTS forces browsers to use secured connections. Make sure your Synology NAS has a valid certificate.
• Clear all saved user login sessions upon system restart: This option prevents unexpected system errors from happening if users stay logged in and perform operations on the system while the system is getting ready. With this option enabled, all users will need to re-login after the system restarts.
  
• Show notification on DSM desktop when the current IP changes: When the IP of a currently connected user changes, send a desktop notification to that user.

Trusted Proxies

DSM will use the remote IP information passed from a trusted proxy server. You can change trusted proxy servers.