Set($RTAddressRegexp , undef);
+=item C<$IgnoreCcRegexp>
+
+C<$IgnoreCcRegexp> is a regexp to exclude addresses from automatic addition
+to the Cc list. Use this for addresses that are I<not> received by RT but
+are sometimes added to Cc lists by mistake. Unlike C<$RTAddressRegexp>,
+these addresses can still receive email from RT otherwise.
+
+=cut
+
+Set($IgnoreCcRegexp, undef);
+
=item C<$CanonicalizeEmailAddressMatch>, C<$CanonicalizeEmailAddressReplace>
RT provides functionality which allows the system to rewrite
Set($ValidateUserEmailAddresses, undef);
+=item C<$NonCustomerEmailRegexp>
+
+Normally, when a ticket is linked to a customer, any requestors on that
+ticket that didn't previously have customer memberships are linked to
+the customer also. C<$NonCustomerEmailRegexp> is a regexp for email
+addresses that should I<not> automatically be linked to a customer in
+this way.
+
+=cut
+
+Set($NonCustomerEmailRegexp, undef);
+
=item C<@MailPlugins>
C<@MailPlugins> is a list of auth plugins for L<RT::Interface::Email>
Set($WebSecureCookies, 0);
+=item C<$WebHttpOnlyCookies>
+
+Default RT's session cookie to not being directly accessible to
+javascript. The content is still sent during regular and AJAX requests,
+and other cookies are unaffected, but the session-id is less
+programmatically accessible to javascript. Turning this off should only
+be necessary in situations with odd client-side authentication
+requirements.
+
+=cut
+
+Set($WebHttpOnlyCookies, 1);
+
+=item C<$RestrictReferrer>
+
+If set to a false value, the HTTP C<Referer> (sic) header will not be
+checked to ensure that requests come from RT's own domain. As RT allows
+for GET requests to alter state, disabling this opens RT up to
+cross-site request forgery (CSRF) attacks.
+
+=cut
+
+Set($RestrictReferrer, 1);
+
+=item C<$RestrictLoginReferrer>
+
+If set to a false value, RT will allow the user to log in from any link
+or request, merely by passing in C<user> and C<pass> parameters; setting
+it to a true value forces all logins to come from the login box, so the
+user is aware that they are being logged in. The default is off, for
+backwards compatability.
+
+=cut
+
+Set($RestrictLoginReferrer, 0);
+
=item C<$WebFlushDbCacheEveryRequest>
By default, RT clears its database cache after every page view.
Set($ApprovalRejectionNotes, 1);
+=item C<@ReferrerWhitelist>
+
+This is a list of hostname:port combinations that RT will treat as being
+part of RT's domain. This is particularly useful if you access RT as
+multiple hostnames or have an external auth system that needs to
+redirect back to RT once authentication is complete.
+
+ Set(@ReferrerWhitelist, qw(www.example.com:443 www3.example.com:80));
+
+If the "RT has detected a possible cross-site request forgery" error is triggered
+by a host:port sent by your browser that you believe should be valid, you can copy
+the host:port from the error message into this list.
+
+=cut
+
+Set(@ReferrerWhitelist, qw());
+
=back
=head1 Miscellaneous Configuration