V8: Advanced - QoS/Security (Tab) - Security(Section)__Use hidden security tags
You can protect the phone's web interface with hidden security tags against remote attackers trying to change phone settings with faked HTTP POST requests (XSRF attack).
To enable this feature, turn this setting on AND change the HTTP User , HTTP Password and Administrator Password from their default values.
If these settings are set to their default values, the phone's Web interface will display the /security.htm page to prompt the user to change the values.
A disadvantage of enabling hidden-tags might be that the Remote Phone Control feature (via i.e. "command.htm"), which is using the same web server on the phone, is disabled.
See also restrict_uri_queries.