Index: src/alerts.c
==================================================================
--- src/alerts.c
+++ src/alerts.c
@@ -936,11 +936,11 @@
 ** This is a short name used to identifies the repository in the Subject:
 ** line of email alerts. Traditionally this name is included in square
 ** brackets. Examples: "[fossil-src]", "[sqlite-src]".
 */
 /*
-** SETTING: email-send-method         width=5 default=off
+** SETTING: email-send-method         width=5 default=off sensitive
 ** Determine the method used to send email.  Allowed values are
 ** "off", "relay", "pipe", "dir", "db", and "stdout".  The "off" value
 ** means no email is ever sent.  The "relay" value means emails are sent
 ** to an Mail Sending Agent using SMTP located at email-send-relayhost.
 ** The "pipe" value means email messages are piped into a command 
@@ -949,33 +949,33 @@
 ** by the email-send-dir setting.  The "db" value means that emails
 ** are added to an SQLite database named by the* email-send-db setting.
 ** The "stdout" value writes email text to standard output, for debugging.
 */
 /*
-** SETTING: email-send-command       width=40
+** SETTING: email-send-command       width=40 sensitive
 ** This is a command to which outbound email content is piped when the
 ** email-send-method is set to "pipe".  The command must extract
 ** recipient, sender, subject, and all other relevant information
 ** from the email header.
 */
 /*
-** SETTING: email-send-dir           width=40
+** SETTING: email-send-dir           width=40 sensitive
 ** This is a directory into which outbound emails are written as individual
 ** files if the email-send-method is set to "dir".
 */
 /*
-** SETTING: email-send-db            width=40
+** SETTING: email-send-db            width=40 sensitive
 ** This is an SQLite database file into which outbound emails are written
 ** if the email-send-method is set to "db".
 */
 /*
 ** SETTING: email-self               width=40
 ** This is the email address for the repository.  Outbound emails add
 ** this email address as the "From:" field.
 */
 /*
-** SETTING: email-send-relayhost      width=40
+** SETTING: email-send-relayhost      width=40 sensitive
 ** This is the hostname and TCP port to which output email messages
 ** are sent when email-send-method is "relay".  There should be an
 ** SMTP server configured as a Mail Submission Agent listening on the
 ** designated host and port and all times.
 */

Index: src/db.c
==================================================================
--- src/db.c
+++ src/db.c
@@ -3432,32 +3432,19 @@
 ** SETTING: admin-log       boolean default=off
 **
 ** When the admin-log setting is enabled, configuration changes are recorded
 ** in the "admin_log" table of the repository.
 */
-#if defined(_WIN32)
 /*
-** SETTING: allow-symlinks  boolean default=off versionable
+** SETTING: allow-symlinks  boolean default=off sensitive
 **
 ** When allow-symlinks is OFF, symbolic links in the repository are followed
 ** and treated no differently from real files.  When allow-symlinks is ON,
 ** the object to which the symbolic link points is ignored, and the content
 ** of the symbolic link that is stored in the repository is the name of the
 ** object to which the symbolic link points.
 */
-#endif
-#if !defined(_WIN32)
-/*
-** SETTING: allow-symlinks  boolean default=on versionable
-**
-** When allow-symlinks is OFF, symbolic links in the repository are followed
-** and treated no differently from real files.  When allow-symlinks is ON,
-** the object to which the symbolic link points is ignored, and the content
-** of the symbolic link that is stored in the repository is the name of the
-** object to which the symbolic link points.
-*/
-#endif
 /*
 ** SETTING: auto-captcha    boolean default=on variable=autocaptcha
 ** If enabled, the /login page provides a button that will automatically
 ** fill in the captcha password.  This makes things easier for human users,
 ** at the expense of also making logins easier for malicious robots.
@@ -3507,11 +3494,11 @@
 ** there is no cron job periodically running "fossil backoffice",
 ** email notifications and other work normally done by the
 ** backoffice will not occur.
 */
 /*
-** SETTING: backoffice-logfile width=40
+** SETTING: backoffice-logfile width=40 sensitive
 ** If backoffice-logfile is not an empty string and is a valid
 ** filename, then a one-line message is appended to that file
 ** every time the backoffice runs.  This can be used for debugging,
 ** to ensure that backoffice is running appropriately.
 */
@@ -3584,11 +3571,11 @@
 /*
 ** SETTING: crnl-glob       width=40 versionable block-text
 ** This is an alias for the crlf-glob setting.
 */
 /*
-** SETTING: default-perms   width=16 default=u
+** SETTING: default-perms   width=16 default=u sensitive
 ** Permissions given automatically to new users.  For more
 ** information on permissions see the Users page in Server
 ** Administration of the HTTP UI.
 */
 /*
@@ -3596,11 +3583,11 @@
 ** If enabled, permit files that may be binary
 ** or that match the "binary-glob" setting to be used with
 ** external diff programs.  If disabled, skip these files.
 */
 /*
-** SETTING: diff-command    width=40
+** SETTING: diff-command    width=40 sensitive
 ** The value is an external command to run when performing a diff.
 ** If undefined, the internal text diff will be used.
 */
 /*
 ** SETTING: dont-push       boolean default=off
@@ -3611,11 +3598,11 @@
 /*
 ** SETTING: dotfiles        boolean versionable default=off
 ** If enabled, include --dotfiles option for all compatible commands.
 */
 /*
-** SETTING: editor          width=32
+** SETTING: editor          width=32 sensitive
 ** The value is an external command that will launch the
 ** text editor command used for check-in comments.
 */
 /*
 ** SETTING: empty-dirs      width=40 versionable block-text
@@ -3654,16 +3641,16 @@
 ** An empty list prohibits editing via that page. Note that
 ** it cannot edit binary files, so the list should not
 ** contain any globs for, e.g., images or PDFs.
 */
 /*
-** SETTING: gdiff-command    width=40 default=gdiff
+** SETTING: gdiff-command    width=40 default=gdiff sensitive
 ** The value is an external command to run when performing a graphical
 ** diff. If undefined, text diff will be used.
 */
 /*
-** SETTING: gmerge-command   width=40
+** SETTING: gmerge-command   width=40 sensitive
 ** The value is a graphical merge conflict resolver command operating
 ** on four files.  Examples:
 **
 **     kdiff3 "%baseline" "%original" "%merge" -o "%output"
 **     xxdiff "%original" "%baseline" "%merge" -M "%output"
@@ -3794,11 +3781,11 @@
 ** the associated files within the checkout -AND- the "rm"
 ** and "delete" commands will also remove the associated
 ** files from within the checkout.
 */
 /*
-** SETTING: pgp-command      width=40
+** SETTING: pgp-command      width=40 sensitive
 ** Command used to clear-sign manifests at check-in.
 ** Default value is "gpg --clearsign -o"
 */
 /*
 ** SETTING: forbid-delta-manifests    boolean default=off
@@ -3854,22 +3841,22 @@
 **
 ** If repolist-skin has a value of 2, then the repository is omitted from
 ** the list in use cases 1 through 4, but not for 5 and 6.
 */
 /*
-** SETTING: self-register    boolean default=off
+** SETTING: self-register    boolean default=off sensitive
 ** Allow users to register themselves through the HTTP UI.
 ** This is useful if you want to see other names than
 ** "Anonymous" in e.g. ticketing system. On the other hand
 ** users can not be deleted.
 */
 /*
-** SETTING: ssh-command      width=40
+** SETTING: ssh-command      width=40 sensitive
 ** The command used to talk to a remote machine with  the "ssh://" protocol.
 */
 /*
-** SETTING: ssl-ca-location  width=40
+** SETTING: ssl-ca-location  width=40 sensitive
 ** The full pathname to a file containing PEM encoded
 ** CA root certificates, or a directory of certificates
 ** with filenames formed from the certificate hashes as
 ** required by OpenSSL.
 **
@@ -3879,11 +3866,11 @@
 ** Checking your platform behaviour is required if the
 ** exact contents of the CA root is critical for your
 ** application.
 */
 /*
-** SETTING: ssl-identity     width=40
+** SETTING: ssl-identity     width=40 sensitive
 ** The full pathname to a file containing a certificate
 ** and private key in PEM format. Create by concatenating
 ** the certificate and private key files.
 **
 ** This identity will be presented to SSL servers to
@@ -3890,33 +3877,33 @@
 ** authenticate this client, in addition to the normal
 ** password authentication.
 */
 #ifdef FOSSIL_ENABLE_TCL
 /*
-** SETTING: tcl              boolean default=off
+** SETTING: tcl              boolean default=off sensitive
 ** If enabled Tcl integration commands will be added to the TH1
 ** interpreter, allowing arbitrary Tcl expressions and
 ** scripts to be evaluated from TH1.  Additionally, the Tcl
 ** interpreter will be able to evaluate arbitrary TH1
 ** expressions and scripts.
 */
 /*
-** SETTING: tcl-setup        width=40 block-text
+** SETTING: tcl-setup        width=40 block-text sensitive
 ** This is the setup script to be evaluated after creating
 ** and initializing the Tcl interpreter.  By default, this
 ** is empty and no extra setup is performed.
 */
 #endif /* FOSSIL_ENABLE_TCL */
 /*
-** SETTING: tclsh            width=80 default=tclsh
+** SETTING: tclsh            width=80 default=tclsh sensitive
 ** Name of the external TCL interpreter used for such things
 ** as running the GUI diff viewer launched by the --tk option
 ** of the various "diff" commands.
 */
 #ifdef FOSSIL_ENABLE_TH1_DOCS
 /*
-** SETTING: th1-docs         boolean default=off
+** SETTING: th1-docs         boolean default=off sensitive
 ** If enabled, this allows embedded documentation files to contain
 ** arbitrary TH1 scripts that are evaluated on the server.  If native
 ** Tcl integration is also enabled, this setting has the
 ** potential to allow anybody with check-in privileges to
 ** do almost anything that the associated operating system
@@ -3969,11 +3956,11 @@
 ** of a "fossil clone" or "fossil sync" command.  The
 ** default is false, in which case the -u option is
 ** needed to clone or sync unversioned files.
 */
 /*
-** SETTING: web-browser      width=30
+** SETTING: web-browser      width=30 sensitive
 ** A shell command used to launch your preferred
 ** web browser when given a URL as an argument.
 ** Defaults to "start" on windows, "open" on Mac,
 ** and "firefox" on Unix.
 */

Index: src/mkindex.c
==================================================================
--- src/mkindex.c
+++ src/mkindex.c
@@ -90,10 +90,11 @@
 #define CMDFLAG_SETTING     0x0020      /* A setting */
 #define CMDFLAG_VERSIONABLE 0x0040      /* A versionable setting */
 #define CMDFLAG_BLOCKTEXT   0x0080      /* Multi-line text setting */
 #define CMDFLAG_BOOLEAN     0x0100      /* A boolean setting */
 #define CMDFLAG_RAWCONTENT  0x0200      /* Do not interpret webpage content */
+#define CMDFLAG_SENSITIVE   0x0400      /* Security-sensitive setting */
 /**************************************************************************/
 
 /*
 ** Each entry looks like this:
 */
@@ -248,10 +249,12 @@
     }else if( j==10 && strncmp(&zLine[i], "block-text", j)==0 ){
       aEntry[nUsed].eType &= ~(CMDFLAG_BOOLEAN);
       aEntry[nUsed].eType |= CMDFLAG_BLOCKTEXT;
     }else if( j==11 && strncmp(&zLine[i], "versionable", j)==0 ){
       aEntry[nUsed].eType |= CMDFLAG_VERSIONABLE;
+    }else if( j==9 && strncmp(&zLine[i], "sensitive", j)==0 ){
+      aEntry[nUsed].eType |= CMDFLAG_SENSITIVE;
     }else if( j>6 && strncmp(&zLine[i], "width=", 6)==0 ){
       aEntry[nUsed].iWidth = atoi(&zLine[i+6]);
     }else if( j>8 && strncmp(&zLine[i], "default=", 8)==0 ){
       aEntry[nUsed].zDflt = string_dup(&zLine[i+8], j-8);
     }else if( j>9 && strncmp(&zLine[i], "variable=", 9)==0 ){