By default wiki will, if we don't configure a security module, make all content read-only.

The previous default where unclaimed sites were editable by anybody can be enabled by setting security_legacy to true.

This version of wiki will install

• a Passport based security module, see wiki-security-friends, and
• a simpler friends, secret token, based security module, see wiki-security-friends for details.

To use this new, Passport based, security module you will need to choose one of the OAuth providers that it makes available and follow the configuration notes.

It is recommended that you make use of TLS, many OAuth providers now require it. This will require configuring a proxy, in front of the Federated Wiki server, and getting the necessary certificated. There are a number of options, probably the easiest is to use Caddy with Automatic HTTPS, and On-Demand TLS. Which uses Let's Encrypt as the certificate authority.

If you want to use TLS you will need to configure the wiki server by adding "security_useHttps": true, to the configuration file, as well as using https:// in the callback URLs when you configure the OAuth provider.

WARNING: If you are using localhost subdomains. Cookies are handled differently, which means SSO across subdomains will not work. While this is only likely to affect those developing security schemes, it is something to be aware of. Consider either using one of your own domains and pointing a subdomain to 127.0.0.1 and ::1, or a domain like localtest.me that points to localhost see localtest-dot-me (github). If using a publicly provided test DNS, it is wise to check it still points to the expected place.