Additional Security Features

Password Rules & Blocking

• New users are redirected to change password on first login (admin can force that in the specified user's config page)

• Passwords expire after <N> days, after which the users need to change their password

  • Can be changed by the passwordRules.passwordValidity flag in systems settings

  • Default value of <N> is 90 (days)

    Setting this value to 0 disables this functionality

• Users get their account blocked for <X> minutes after <Y> wrong login attempts in the last <Z> hour

  • Configurable from flags in system settings (default values: <X> = 5, <Y> = 10, <Z> = 1)

  • FeatureFlags.blockMinutes = <X>, how many minutes the user will be unable to log in after he consecutively fails to login the specified amount of times. Setting this value to 0 will disable the blocking functionality

  • FeatureFlags.maxAttempts = <Y>, how many times the user must fail the login, before he gets blocked

  • FeatureFlags.saveAttemptsForNumberOfHours = <Z>, how long (hours) the user's failed login count is stored in the application. The failed count is reset after an successful login or when this amount of hours passes after the last unsuccessful login

• IP blocking

  • Hard-coded to block IP upon 10 failed login attempts in 5 minutes
    

• Admin can unblock users by:

1. Selecting them from users page & clicking on Unblock Selected Users

2. Uncheck "Blocked" box (displayed in the user page of blocked user)

3. (In the case of all accounts getting blocked, on-premise only) Specify user in config.yml (also used to enable user & change password):

   1. password parameter optional, if none given, password will not be changed

unblock:
    username: foo
    password: bar

HTTP Security Headers

HTTP Strict Transport Security Policy

• Enabled from the application yml, informs the browser that app should be accessed over https