Xibo Cloud CMS Defaults and Restrictions

Listed below are the Xibo CMS settings that have been preconfigured for Xibo in the Cloud Customers. Some settings can be changed with others locked.

Settings that have been defaulted, but can change

CMS Password Policy

We set the default Password Policy to require a password of at least 10 characters in length. It’s our view that password policies that require certain levels of complexity are great, but that length is the single most important factor when choosing a secure password. See Jeff Atwood’s excellent blog post on the subject.

Force HTTPS connections to the CMS

For a new CMS, all connections are required to be made over HTTPS, otherwise, they’re redirected. You can turn this off at your option, but please be aware it will make your access to the CMS less secure.

Strict Transport Security

Strict Transport Security forces browsers connecting to a website to connect only to the encrypted HTTPS version of the website for a fixed period of time, to prevent downgrade attacks on your connection. For a new CMS, we disable strict transport security by default as it can conflict with some older Player devices. You can turn this on at your option, and configure the time that the restriction should be in place for.

Default CMS email send from address

If you hold a CMS White Label theme, we change the default email address the CMS will send email to you based upon your preferences expressed when you created the theme.

Library Tidy

We turn off the Library Tidy function by default. This can be potentially destructive if you don’t understand the implication of running it with all options selected. This can be enabled from the settings page if you wish.


We set a default timezone for you based upon your choice of data centre that you host your CMS in. So for example, if you choose to host your CMS in the UK, we’ll set a Europe/London timezone for you. You can change this to your local timezone if that is incorrect.

Settings which cannot be changed

The following settings are pre-configured for you in the CMS and locked or hidden. You are not able to change these settings yourself. In some cases, our Support team may be able to make adjustments for you if there’s a valid use case, and if making a change won’t negatively impact the security or performance of our Cloud environment.

Periodic Screenshot

We disable the ability to configure the Player to send a periodic screenshot back to the CMS. We do so because this function can use very large amounts of bandwidth very quickly. Support can enable this option for you if you wish to use it.

Currently Playing Layout

We disable the ability to configure the Player to send status updates to the CMS every time it begins playing a new Layout. This prevents you seeing the currently running layout status on the Displays page in the CMS. Please note: This setting generates huge numbers of requests to the Cloud platform and is designed to be used only in a LAN environment.

Proxy Settings

CMS proxy settings are disabled and hidden since no proxy is required to access the internet from our Cloud Platform. You can still configure Player-side proxy settings on your devices as required to access our platform

Dataset Size

We limit datasets to 10,000 rows per dataset.

Maximum Statistics retention

We configure our CMS instances to archive your proof of play statistics to CSV files uploaded in your library each day, once those records are 62 days old. Statistics records are deleted when they are older than 70 days. In reality, statistics are archived to your CMS library before they get to this age, so they aren’t deleted as such. Please note: Statistics records consume very large amounts of database storage so we aren’t able to extend this time period.

CMS versions prior to 2.3.0 have the above limits set to 30 days and 40 days respectively.

From CMS version 2.3.11 onward, proof of play statistics that are older than the maximum statistics retention time will not be accepted in to the CMS. You should ensure that your devices have the correct date and time to avoid any issues.

Task Configuration

The system task configuration is locked as these have been optimally configured for you.


We prevent the installation of modules on Cloud. Any of the stock Modules that ship with Xibo can be installed for you if they aren’t installed already. Your own third-party Modules cannot be installed.

XMR Configuration

We pre-configure, lock and hide the XMR configuration as you don’t need to set that up yourself. If you want to turn XMR off for one or more Players, you can do so at the Display Profile settings by entering DISABLED in to the XMR Public Address field.

File Download Mode and associated settings

These settings are pre-configured for you to give the best performance.

System Limits

We limit the number of Displays that can be authorised on the CMS, the size of the CMS library, and the total amount of bandwidth that can be consumed based upon what you have purchased from Customer Portal. You can change these limits by purchasing more display slots as required from our shop.

Maximum File Upload Size

This is fixed at 1999MB or 4GB for version 2 CMS instances onwards.

Loadbalancer Whitelist

We fix and hide the loadbalancer whitelist setting as there is no need to change this value on our Cloud platform.

Log Retention

We fix general system log retention at 3 days. Error messages etc are rarely useful after that time period. Old log messages are deleted.

Audit log Retention

Audit log messages are automatically deleted once they reach 30 days in age.

Disable Import

The database import function is disabled as this could be used to circumvent restrictions described in this article. If you would like to bring an existing database with you when moving to Cloud, please discuss with our Support team and they can make the necessary arrangements.


The theme settings are hidden in the CMS. On Cloud, you will use the standard Xibo theme unless you’ve purchased a CMS white label from us. In that case, we pre-configure the theme settings for you.

Darksky Weather API Key

The API keys for the Darksky Weather integration are pre-populated and hidden, so you don’t need to sign up for your own account. We cache weather data for each location for 4 hours.

OpenWeather API Key

The API keys for the OpenWeather integration are pre-populated and hidden, so you don’t need to sign up for your own account. We cache weather forecast data for each location for 4 hours, and current weather conditions for 1 hour as a minimum.

Twitter API Key

We partially configure the Twitter module for you, so that you’re able to connect to your Twitter account without needing to sign up for your own API keys. We cache requests to the Twitter search API for 1 hour.

Currencies and Stocks API Keys

The API keys for the Currencies and Stocks Modules are pre-populated and hidden so you won’t need to sign up for your own account with those providers. We cache responses to these for 4 hours.

Library Directory

The CMS library directory is pre-configured and cannot be modified.

API / XMDS Rate Limits

To ensure that the Xibo Cloud service remains performant for all our users, we do impose some basic rate limiting on your connections to the CMS. Where you interact with the CMS API, you may receive an error 429 if you exceed the rate limit. In that case, you should slow your overall request rate down.