Skip to main content

Security

Secret hash

Since version 3.97, the secret hash was too weak for modern security purposes. If you have an existing installation, I suggest changing it to a string of at least 50 characters. 80 characters is recommended, and the string should include special characters.

https://github.com/LiveHelperChat/livehelperchat/blob/master/lhc_web/settings/settings.ini.default.php#L12

Trusted hosts and Site address

In version 3.97, there are a few new settings. If you are missing them, you can add them to your settings/settings.ini.php file under the site section.

It will avoid Live Helper Chat in some circumstances generate URL pointing to third party website.

'site_address' => 'https://demo.livehelperchat.com',
'trusted_host_patterns' => [
     '^demo\.livehelperchat\.com$', // Explicit domain
     '^.+\.livehelperchat\.com$',   // Any subdomain
],

Location in default configuration

https://github.com/LiveHelperChat/livehelperchat/blob/master/lhc_web/settings/settings.ini.default.php#L29-L31

How to limit/protect back office access

Few things

<Location "/site_admin/">
    SetEnvIf X-Forwarded-For "192.168.1.2" Remi
    <RequireAny>
        Require env Remi
        Require ip 192.168.1.2/32
    </RequireAny>  
</Location>
#Allow sso for crm
<Location ~ "/site_admin/ssoprovider/.*">
    SetEnvIf X-Forwarded-For "192.168.1.2" Remi
    <RequireAny>
        Require env Remi
        Require ip 192.168.1.2/32
    </RequireAny>   
</Location>
#Allow Rest API
<Location ~ "/restapi/.*">
    SetEnvIf X-Forwarded-For "192.168.1.2" Remi
    <RequireAny>
        Require env Remi
        Require ip 192.168.1.2/32
    </RequireAny>  
</Location>

Export hash

As with secrethash, the same situation applies to the Export hash.

The Export hash can be changed in:

System configuration > Live Help configuration > Chat configuration > Misc > Chats export secret hash

Set it to a length of at least 50 characters.