The security settings page allows for:

  • Managing CORS white-listed domains

  • Viewing and deleting user sessions

  • Creating new app passcodes

CORS White-listed Domains

cors section
Figure 1. CORS (Cross-origin Resource Sharing) configuration section

The CORS (Cross-origin resource sharing) white-listed domains section lists zero or more domains which the ownCloud instance is allowed to request resources from, in addition to the current domain, for your user account.

By default, as in the screenshot above, no domains will be listed. If you want to add one, or more, add them, one at a time, in the Domain text field, and click Add. You will then see them listed, as in the screenshot below.

Valid records:
Record Scheme Example

protocol + domain

protocol + domain + port

protocol + ip

protocol + ip + port

CORS entries follow strict rules, only http and https protocols are allowed.

To remove one, or more, click the trashbin icon next to the relevant domain name.

cors section with white listed domains
Figure 2. CORS Configuration Section with white-listed domains

You will then be prompted to confirm if you want to remove the domain. If you do, click Yes. If you do not, click No.


sessions section
Figure 3. Sessions section

The sessions section, which you can see an example of below, lists all your current user sessions, across web, desktop, and mobile clients. Specifically, it lists the browser user agent string and the time of the most recent activity. If you want to log a session out, then click the Disconnect button at the far right of the relevant session.

App Passwords / Tokens

app password tokens section
Figure 4. App password / tokens section

This section lets you give an app or device permissions to access your ownCloud account. App passwords are a security measure which let you hide your actual password. To create one, insert the app name in the App name text field, and click Create new app passcode.

  1. Create new app password / token image::personal-settings/security/create-new-app-password-token.png[]

As you can see in the screenshot above, a username and password/token will be generated, and the app will be listed in the apps list in this section.

Make sure you either securely store the username and password / token or ensure that the receiver does, because once you click Done the username and password / token will longer be discoverable.

If you want to revoke access for a device or app, click the trash bin icon next to its name in the apps list.

No confirmation of revocation is requested. Once you click the trash bin icon, the apps access is revoked.