Xibo Cloud CMS Defaults and Restrictions
Listed below are the Xibo CMS settings that have been preconfigured for Xibo in the Cloud Customers. Some settings can be changed with others locked.
CMS Password Policy
We set the default Password Policy to require a password of at least 10 characters in length. It’s our view that password policies that require certain levels of complexity are great, but that length is the single most important factor when choosing a secure password. See Jeff Atwood’s excellent blog post on the subject.
Force HTTPS connections to the CMS
For a new CMS, all connections are required to be made over HTTPS, otherwise, they’re redirected. You can turn this off at your option, but please be aware it will make your access to the CMS less secure.
Strict Transport Security
Strict Transport Security forces browsers connecting to a website to connect only to the encrypted HTTPS version of the website for a fixed period of time, to prevent downgrade attacks on your connection. For a new CMS, we disable strict transport security by default as it can conflict with some older Player devices. You can turn this on at your option, and configure the time that the restriction should be in place for.
Default CMS email send from address
If you hold a CMS White Label theme, we change the default email address the CMS will send email to you based upon your preferences expressed when you created the theme.
We turn off the Library Tidy function by default. This can be potentially destructive if you don’t understand the implication of running it with all options selected. This can be enabled from the settings page if you wish.
We set a default timezone for you based upon your choice of data centre that you host your CMS in. So for example, if you choose to host your CMS in the UK, we’ll set a Europe/London timezone for you. You can change this to your local timezone if that is incorrect.
The following settings are pre-configured for you in the CMS and locked or hidden. You are not able to change these settings yourself. In some cases, our Support team may be able to make adjustments for you if there’s a valid use case, and if making a change won’t negatively impact the security or performance of our Cloud environment.
We disable the ability to configure the Player to send a periodic screenshot back to the CMS. We do so because this function can use very large amounts of bandwidth very quickly. Support can enable this option for you if you wish to use it.
Currently Playing Layout
We disable the ability to configure the Player to send status updates to the CMS every time it begins playing a new Layout. This prevents you seeing the currently running layout status on the Displays page in the CMS. Please note: This setting generates huge numbers of requests to the Cloud platform and is designed to be used only in a LAN environment.
CMS proxy settings are disabled and hidden since no proxy is required to access the internet from our Cloud Platform. You can still configure Player-side proxy settings on your devices as required to access our platform
We limit datasets to 10,000 rows per dataset.
Maximum Statistics retention
We configure our CMS instances to archive your proof of play statistics to CSV files uploaded in your library each day, once those records are 62 days old. Statistics records are deleted when they are older than 70 days. In reality, statistics are archived to your CMS library before they get to this age, so they aren’t deleted as such. Please note: Statistics records consume very large amounts of database storage so we aren’t able to extend this time period.
CMS versions prior to 2.3.0 have the above limits set to 30 days and 40 days respectively.
The system task configuration is locked as these have been optimally configured for you.
We prevent the installation of modules on Cloud. Any of the stock Modules that ship with Xibo can be installed for you if they aren’t installed already. Your own third-party Modules cannot be installed.
We pre-configure, lock and hide the XMR configuration as you don’t need to set that up yourself. If you want to turn XMR off for one or more Players, you can do so at the Display Profile settings by entering
DISABLED in to the XMR Public Address field.
File Download Mode and associated settings
These settings are pre-configured for you to give the best performance.
We limit the number of Displays that can be authorised on the CMS, the size of the CMS library, and the total amount of bandwidth that can be consumed based upon what you have purchased from Customer Portal. You can change these limits by purchasing more display slots as required from our shop.
Maximum File Upload Size
This is fixed at 1999MB or 4GB for version 2 CMS instances onwards.
We fix and hide the loadbalancer whitelist setting as there is no need to change this value on our Cloud platform.
We fix general system log retention at 3 days. Error messages etc are rarely useful after that time period. Old log messages are deleted.
Audit log Retention
Audit log messages are automatically deleted once they reach 30 days in age.
The database import function is disabled as this could be used to circumvent restrictions described in this article. If you would like to bring an existing database with you when moving to Cloud, please discuss with our Support team and they can make the necessary arrangements.
The theme settings are hidden in the CMS. On Cloud, you will use the standard Xibo theme unless you’ve purchased a CMS white label from us. In that case, we pre-configure the theme settings for you.
Darksky Weather API Key
The API keys for the Darksky Weather integration are pre-populated and hidden, so you don’t need to sign up for your own account. We cache weather data for each location for 4 hours.
OpenWeather API Key
The API keys for the OpenWeather integration are pre-populated and hidden, so you don’t need to sign up for your own account. We cache weather forecast data for each location for 4 hours, and current weather conditions for 1 hour as a minimum.
Twitter API Key
We partially configure the Twitter module for you, so that you’re able to connect to your Twitter account without needing to sign up for your own API keys. We cache requests to the Twitter search API for 1 hour.
Currencies and Stocks API Keys
The API keys for the Currencies and Stocks Modules are pre-populated and hidden so you won’t need to sign up for your own account with those providers. We cache responses to these for 4 hours.
The CMS library directory is pre-configured and cannot be modified.
API / XMDS Rate Limits
To ensure that the Xibo Cloud service remains performant for all our users, we do impose some basic rate limiting on your connections to the CMS. Where you interact with the CMS API, you may receive an error 429 if you exceed the rate limit. In that case, you should slow your overall request rate down.