General Security Settings

LiveAgent offers a number of additional security settings, which can be found in the Agent panel >  Configuration > Security > Settings. These allow you to set up more advanced security rules and features that will help you increase the security of your LiveAgent account and your customer portal against various types of vulnerabilities.
  • Allowed file types - This setting allows only you to define that only specific file types could be uploaded in the contact widgets by the visitor. So if your support team only works with .pdf files you can simply set it so that the visitor can only send .pdf files to your agents during the chat or through contact forms. This however does not affect email attachments in any way. Security of your emails is handled by your mail server or mail account provider.

  • Visitor cookie lifetimeThis setting allows you to set the number of days for which the cookie identifying customers/visitors on your website will be valid. By default the LiveAgent cookie used to recognize the visitor automatically is set to 30 days. Setting it to 0 will means the visitor will not be remembered at all. More detailed info about cookies created and used by LiveAgent is explained in this guide.

  • Agent panel access - This setting allows you to define specific IPs that will be allowed to access your agent panel. Be cautious when setting this up since if you set it incorrectly, you can easily lock yourself or your colleagues out. You can use wildcard character (*) to match IP range or define specific range instead of just specific IPs. Please see the examples of specific definitions in agent panel access description in the screenshot below.

  • Allow KB in iframe - This setting allows you to use your LiveAgent customer portal/knowledgebase in an iframe. This option is disabled by default and need to be manually enabled first. Only then you will be allowed to display your LiveAgent customer portal in an iframe element.

  • CSRF Protection - CSRF(Cross-site request forgery) is a type of exploit/attack where an attacker tries to perform unauthorized commands that are transmitted from an user(agent browser) that the web application(LiveAgent server) trusts. This setting enables extra layer of security against such attacks by using special secret token that is sent with each request between client and server and then checking that the received token is valid. If server does not receive a valid token with a request from the agent, the request is simply ignored and server returns error.

  • CSP headers - These two settings allow you to define Content Security Policy headers for your LiveAgent agent panel and your knowledgebase. Detailed info can be found in a separate guide here.

  • Password requirements section - This section allows you to set up password requirements for your agents. Detailed info can be found in a separate guide here.

  Do not forget to save your changes!