In association with heise online

Security settings

The settings highlighted in blue represent a compromise between security and user-friendliness for websites, while green settings represent the highest possible level of security. Black settings represent the preset values for new installations. If there is no blue setting for an option, the preset is already a useful compromise.

ActiveX controls represent a considerable risk and should generally only be loaded and launched at the user's explicit request. This also applies to controls marked as "secure" even if they are local ones. Never use unsigned ActiveX controls.
Compared to ActiveX, Java is relatively secure. Therefore, the preset values offer sufficient security. But if you want to be absolutely certain, disable Java.

ActiveScripting contains the settings for JScript and VBScript. Scripting should be disabled because it is often indispensable for exploits of security holes. However, if you switch it off a lot of web sites will lose functionality. The option of using prompts is not practical here because you would have to constantly click off warnings, which would make web sites practically as useless as switching off scripting, if not more. The best option is to activate these warnings only with paste operations or scripting with Java applets, which is quite rare.

Consistently working with various zones represents a useful compromise. Disable active scripting in the Internet zone and put all trusted sites you need into the list of trusted sites. Now, you can quickly have a configuration in which important things will work even as a large part of the risks are ruled out.

"Allow paste operations via script" gives the web site access to your clipboard. This manoeuvre poses a certain risk, but one that you can keep under control by using explicit prompts. Your clipboard could contain confidential information from other applications.


The transmission of unencrypted form data is required for most entry fields on websites and therefore generally has to be allowed.

However, objects should only be saved on your desktop by way of exception.

IFRAMES and framesets, which display various web sites in different frames (and thus hide the origin of the sites), should also only be allowed in exceptional cases. There are various ways to abuse them.

Attackers try to use all kinds of tricks, such as active content, to get them running. For instance, they use one-pixel windows that users practically cannot see or windows outside of the visible desktop. Therefore, do not allow for windows without size and position restrictions or without an address bar or status bar.

If you disable the transmission of unencrypted form data, you will not be able to use a lot of contact forms and search engines.

Software channels can be used to transmit programs to your computer if you have subscribed to such a channel. Because programs can be infected with viruses or Trojans, you should make sure you know which programs have gotten on to your computer from where.


  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit