Book IndexHideShow
Back to topic

Cloud Application Security

Account Settings

Account Settings

The account settings let you define different attributes of the account, such as two-factor authentication, account notification emails, and weekly report settings. You can also define Origin Lock settings.

In this topic:

Access Account Settings

  1. Log in to your account.
  2. On the sidebar, click Management > Account Settings.

Account Details

This section contains all account-level configuration options.

E-mail for notifications Email addresses defined here will receive all notifications connected to the account and to all sites under the account, including account and billing notifications, threat alert emails (as configured per site) and DDoS alerts (excluding Infrastructure Monitoring alerts). Multiple addresses, separated by commas or semicolons, can be entered.
Require users to use two factor authentication

Forces all users of the account to configure two factor authentication for their logins. Users that have not configured two factor authentication will be required to do so before logging in. (Available for account admins only.)

Note: Two factor authentication is not activated if the user logs in with SSO.

Allow Two Factor Authentication through E-mail Enables users to receive a passcode for two factor authentication via email. If this option is not selected, users can choose to receive a passcode via text message or the Google Authenticator app only.
Allow login from the following IP addresses only Limits access to the Cloud Security Console to specific IP addresses (e.g., the IP addresses of the company’s offices).
Time zone Determines the time zone for the account and all sites under it. For example, all dashboards and event logs for sites will show events in accordance with the configured account time zone.
Support level Shows the account's support level (managed/standard).
Support all TLS versions

In compliance with PCI-DSS requirements to disable the use of TLS 1.0, and due to known vulnerabilities in TLS 1.1, Imperva has defined TLS 1.2 as the default minimum supported version for connectivity between clients (visitors) and Imperva.

This option enables you to set support for TLS versions earlier than 1.2 on a per site basis.

Enabling this option opens the TLS versions setting for sites in your account. After you enable this option, enable the Support All TLS Versions option for each site that you want to support the earlier TLS versions. For details, see Web Protection - General Settings.

To remain PCI-compliant, do not enable this option. For more details, see Web Protection - SSL/TLS.

Note: You cannot disable this option if it is enabled for any of the account's sites. First disable the Support all TLS versions option for each site in the site's General Settings page.

Subscribe to weekly reports

Imperva produces a weekly report for every account that chooses to receive it. The weekly report contains general information on the account as well as all sites under the account.

Weekly reports are generated on each Monday, and contain comparative information between last week and the previous week. Due to this design, a new account can only receive its first Weekly Report two weeks after the account is created.

The weekly report is sent to all email addresses configured under the E-mail for notifications field (see above). The email you receive contains a link for downloading the report in PDF format. Anyone with the link can download the report. It does not require a user or login to Imperva.

The report can also be reviewed in retrospect ore generated on demand, using the Weekly account report option on the Account Settings page.

Accounts with sub accounts: You can subscribe to weekly reports for the parent account, and also for any sub account, via the account/sub account's Account Settings page.

  • The statistics presented in the report for a parent account include all of the sub accounts.

  • A report for a sub account includes only the statistics for the specific sub account.

Weekly account report

View the last weekly report or generate a new one.

Generate and send now: Generates a new report and sends to the account email addresses.

View: Displays the last report generated by the system.

Enable HTTP/2 from end-user to Imperva for newly created SSL sites

Enables HTTP/2.0 support for traffic between end-user (visitor) and Imperva for all new SSL sites that are added after this setting is enabled.

Allows supporting browsers to take advantage of the performance enhancements provided by HTTP/2 for your website. Non-supporting browsers can connect via HTTP/1.0 or HTTP/1.1.


  • HTTP/2 support is available only for sites that have SSL support.
  • You can enable or disable HTTP/2 support at the site level for any individual site. For details, see Delivery Settings.

See also: HTTP/2 FAQ

Enable HTTP/2 to origin for newly created SSL sites

Enables HTTP/2 support for traffic between Imperva and your origin server for all new SSL sites that are added after this setting is enabled.


  • To turn on this option, you must first turn on the Enable HTTP/2 from end-user to Imperva for newly created sites option.
  • You can enable or disable HTTP/2 support at the site level for any individual site. For details, see Delivery Settings.

See also: HTTP/2 FAQ

Enable HSTS for newly created SSL sites Enables HTTP Strict Transport Security for all new SSL sites added after this setting is enabled. For more details, see Web Protection - General Settings.
Include wildcard SAN in Incapsula's certificate for newly created SSL sites

Adds the wildcard SAN to the Imperva SSL certificate instead of the full domain SAN.

Example: For, the wildcard SAN is * and the full domain SAN is

Options include: True, False, Default (the option is set according to the default option for the account plan)

Using a wildcard SAN enables you to add subdomains, such as, without the need for a certificate change and revalidation.

Note: Typically, when your site's Imperva-generated certificate needs to be renewed, the process is completed automatically by Imperva. If you are using a wildcard SAN, automated validation can only be completed for a subdomain if the domain (e.g. is also protected by Imperva. Otherwise, you will receive an email notification from Imperva requiring you to revalidate ownership of your domain.

Include naked domain SAN in Incapsula's certificate for newly created WWW sites

For sites with the www prefix, adds the naked domain SAN to the Imperva SSL certificate.

Example: For, the SAN is added to the certificate in addition to the wildcard or full domain SAN.

Reference ID Enables you to add a unique identifier to correlate an object in our service, such as a protected website, with an object on the customer side.
Allow sites to add a large number of redirect rules Enables you to create up to 20,000 simplified redirect rules per site in your account. For details, see Create Simplified Redirect Rules.
Created On

The date the account was created.

The date format is YYYY-MM-DD.

Origin Lock

Origin Lock associates a specific IP or certificate fingerprint with your account to prevent other accounts on the Imperva service from setting up sites that forward traffic to your origin server.

How does it work?

The Imperva cloud service is positioned between the end users (visitors) and your origin server. In this topology, the origin server IP might be vulnerable to exploits by other tenants hosted on the same service.

This vulnerability allows tenants on the service to configure a site that points to an origin server belonging to another account as if it were their own site. By doing so, they become the first hop for traffic that arrives from the visitor on its way to the original IP (incoming traffic). This allows an attacker to send malicious traffic to the origin server or steal traffic from the origin server by bypassing a site’s security measures.

Imperva Origin Lock addresses this vulnerability by associating IP addresses with one specific account. This feature "locks" the IPs of a given account and prevents them from being used by others.

If your IP or certificate is only used by your account, it is highly recommended that you enable Origin Lock.

Note: If you are using a cloud service provider that issues ephemeral or temporary public IP addresses for your virtual compute workloads and want to use this feature, you must have your own registered PA or PI IP space allocation.

To enable Origin Lock:

Contact our support team at The support team will let you know once the restriction is set.

When setup is complete, the list of locked IPs/fingerprints is displayed in the Origin Lock table.

Note: Fingerprints are listed without spaces. To search the table for a specific fingerprint, first remove all spaces.

Data Management

Default data storage region

Select a region for storing your Imperva data.

This option sets the default data storage region for new sites created in your account and for network layer data, such as network layer 3/4 headers, which contain IP addresses.

Available regions include APAC, AU, EU, and US.

You can view or change the region for any site. For detail, see Web Protection - General Settings.

For more details, see Data Storage Management.

Override site event data region by origin geolocation Overrides the default setting defined by the Default data storage region option and enables the system to automatically select the WAF event storage location for each website independently.
Delete sites’ security and access event data

Permanently delete the security and access event data stored for the sites in your account. (Available for account admins only.)

After you click Delete and then confirm the deletion, the process begins. Data is permanently deleted within 48 hours.

For more details, see Data Storage Management.


Tip: Click in any section of the Account Settings page to download a list in .csv format.

Join the Discussion