Administrator Documentation

Security configuration variables

Variable	Type	Default Value	Description
d2l.Security.BypassDateCheck	Org	ON	Controls whether courses with start/end dates are displayed in the My Courses widget, and the Pulse mobile apps outside their date range (i.e. before or after their start and end dates). Only applicable to roles without the 'Access Past/Future Courses' setting. When turned on, users will be able to see upcoming courses and previous course offerings they are enrolled in. They will not be able to access these course offerings (the names will not appear as links to the course homepage, as is the case for current course offerings). Security.HasOrgUnitDateRestrictions must be enabled.
d2l.Security.ContentApplySandbox	Org	ON	Enables sandboxing security feature for the Organization. When 'On' content security permissions and org unit content sandboxing become enabled.
d2l.Security.ContentSandboxDefault	OrgUnit	OFF	Determines default sandbox behaviour for the organization and other org units. Requires d2l.Security.ContentApplySandbox to be ON to take affect. Can also be set on the Course Offering Information page
d2l.Security.DisableScriptCookies	Org	OFF	Controls whether cookies used by scripts are disabled.
d2l.Security.HasOrgUnitDate Restrictions	Org	ON	Controls whether org unit start/end date restrictions are enforced. When enabled, roles without the 'Access Past/Future Courses' setting will not be able to access date-restricted course offerings outside their date range.
d2l.Security.WidgetsApplySandbox	Org	ON	When on, sandboxing will be enabled in Widgets.

Api

Variable	Type	Default Value	Description
d2l.Security.Api.ApplicationsAvailableAsPublished	Org	ON	Automatically enable applications from the master list.
d2l.Security.Api.EnableApi	Org	ON	Central switch for all of API.
d2l.Security.Api.Sync.LmsId	Org	null	ID for the central application provisioning service.
d2l.Security.Api.TokenTimeout	Org	-1	Timeout for long-lived tokens in API calls in seconds.

Content Security Policy

Variable	Type	Default Value	Description
d2l.Security.ContentSecurityPolicy.AddtnlAncestors	Org	https://s.brightspace.com https://*.ally.ac https://leaplti.desire2learn.com/ https://leaplti-fr.brightspace.com/ https://tryleap.brightspace.com/ https://leaplti-es.desire2learn.com/ https://leaplti-ptbr.desire2learn.com/ https://leaplti-us.brightspace.com/ https://leaplti-apac.brightspace.com/ https://leaplti-emea.brightspace.com/ https://leapqa.net https://leaplti-ap.brightspace.com https://login.microsoftonline.com/ https://login.live.com/ https://cdn.lcs.brightspace.com/	Web pages that are allowed to embed the site within a frame in addition to itself. See Announcement about Content Security Policy Usage within Brightspace for examples.
d2l.Security.ContentSecurityPolicy.HeaderEnabled	Org	ON	Enables the Content-Security-Policy HTTP header.
d2l.Security.ContentSecurityPolicy.ReportingOnly	Org	OFF	Whether to only report Content-Security-Policy violations on Login Pages, rather than enforcing the policy. Note: Enforced violations are still reported when this is set to "off"
d2l.Security.ContentSecurityPolicy.SiteWideReportingOnly	Org	ON	Whether to only report Content-Security-Policy violations for all pages except Login Pages, rather than enforcing the policy. Note: Enforced violations are still reported when this is set to "off"
d2l.Security.ContentSecurityPolicy.SvgAllowScripts	OrgUnit	OFF	Whether or not SVG image content is allowed to execute javascript inside its CSP sandbox