Account Settings

The account settings let you define different attributes of the account, such as two-factor authentication, account notification emails, and weekly report settings. You can also define Origin Lock settings.

In this topic:

Access Account Settings

  1. Log in to your account.
  2. On the sidebar, click Management > Account Settings.

Account Details

This section contains all account-level configuration options.

E-mail for notifications Email addresses defined here will receive all notifications connected to the account and to all sites under the account, including account and billing notifications, threat alert emails (as configured per site) and DDoS alerts (excluding Infrastructure Monitoring alerts). Multiple addresses, separated by commas or semicolons, can be entered.
Require users to use two factor authentication Forces all users of the account to configure two factor authentication for their logins. Users that have not configured two factor authentication will be required to do so before logging in. (Available for account admins only.)
Allow Two Factor Authentication through E-mail Enables users to receive a passcode for two factor authentication via email. If this option is not selected, users can choose to receive a passcode via text message or the Google Authenticator app only.
Allow to login only from the following IP addresses Limits access to the Incapsula portal to specific IP addresses (e.g., the IP addresses of the company’s offices).
Time zone Determines the time zone for the account and all sites under it. For example, all dashboards and event logs for sites will show events in accordance with the configured account time zone.
Support level Shows the account's support level (managed/standard).
Support all TLS versions

In compliance with PCI-DSS requirements to disable the use of TLS 1.0, and due to known vulnerabilities in TLS 1.1, Incapsula has defined TLS 1.2 as the default minimum supported version for connectivity between clients (visitors) and the Incapsula service.

This option enables you to set support for TLS versions earlier than 1.2 on a per site basis.

Enabling this option opens the TLS versions setting for sites in your account. After you enable this option, enable the Support All TLS Versions option for each site that you want to support the earlier TLS versions. For details, see Web Protection - General Settings.

To remain PCI-compliant, do not enable this option. For more details, see Web Protection - SSL/TLS.

Note: You cannot disable this option if it is enabled for any of the account's sites. First disable the Support all TLS versions option for each site in the site's General Settings page.

Subscribe to weekly reports / Weekly account report

Incapsula produces a weekly report for every account that chooses to receive it. The weekly report contains general information on the account as well as all sites under the account. The weekly report is produced once a week and is sent to all email addresses configured under the “E-mail for notifications” field (see above). It can also be reviewed in retrospect directly from the account settings and can be generated on demand.

Weekly reports are generated on each Monday, and contain comparative information between last week and the previous week. Due to this design, a new account can only receive its first Weekly Report two weeks after the account is created.

Enable HTTP/2 for newly created SSL sites

Enables HTTP/2.0 for all new SSL sites added after this setting is enabled. For more details, see:

Enable HSTS for newly created SSL sites Enables HTTP Strict Transport Security for all new SSL sites added after this setting is enabled. For more details, see Web Protection - General Settings.
Include wildcard SAN in Incapsula's certificate for newly created SSL sites

Adds the wildcard SAN to the Incapsula SSL certificate instead of the full domain SAN.

Example: For, the wildcard SAN is * and the full domain SAN is

Options include: True, False, Default (the option is set according to the default option for the account plan)

Using a wildcard SAN enables you to add subdomains, such as, without the need for a certificate change and revalidation.

Note: Typically, when your site's Incapsula-generated certificate needs to be renewed, the process is completed automatically by Incapsula. If you are using a wildcard SAN, automated validation can only be completed for a subdomain if the domain (e.g. is also protected by Incapsula. Otherwise, you will receive an email notification from Incapsula requiring you to revalidate ownership of your domain.

Include naked domain SAN in Incapsula's certificate for newly created WWW sites

For sites with the www prefix, adds the naked domain SAN to the Incapsula SSL certificate.

Example: For, the SAN is added to the certificate in addition to the wildcard or full domain SAN.

Reference ID Enables you to add a unique identifier to correlate an object in our service, such as a protected website, with an object on the customer side.

Origin Lock

Origin Lock associates a specific IP with your account to prevent other accounts on the Incapsula service from setting up sites that forward traffic to that origin IP.

How does it work?

The Incapsula cloud service is positioned between the end users (visitors) and your origin server. In this topology, the origin server IP might be vulnerable to exploits by other tenants hosted on the same service.

This vulnerability allows tenants on the service to configure an IP address that belongs to another account as if it were their own IP. By doing so, they become the first hop for traffic that arrives from the visitor on its way to the original IP (incoming traffic). This allows an attacker to send malicious traffic to the origin server or steal traffic from the origin server by bypassing a site’s security measures.

Incapsula Origin Lock addresses this vulnerability by associating IP addresses with one specific account. This feature "locks" the IPs of a given account and prevents them from being used by others.

If your IP is only used by your account, it is highly recommended that you enable Origin Lock.

To enable Origin Lock:

Contact our support team at Incapsula Support. The support team will let you know once the restriction is set.

When setup is complete, the list of locked IPs is displayed in the Origin Lock table.

Data Management

Default data storage region

Select a region for storing your Incapsula data.

This option sets the default data storage region for new sites created in your account and for network layer data, such as network layer 3/4 headers, which contain IP addresses (for Infrastructure Protection customers)

Available regions include APAC, EU, US.

You can view or change the region for any site. For detail, see Web Protection - General Settings.

For more details, see Data Storage Management.

Override site event data region by origin geolocation Overrides the default setting defined by the Default data storage region option and enables the system to automatically select the WAF event storage location for each website independently.


Tip: Click in any section of the Account Settings page to download a list in .csv format.