Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:security [2019/05/13 09:24]
cmaudoux [Configure security settings]
documentation:2.1:security [2019/07/02 22:40] (current)
cmaudoux [Configure security settings]
Line 51: Line 51:
  
 LLNG portal now embeds the following features: LLNG portal now embeds the following features:
-  * [[https://​en.wikipedia.org/​wiki/​Cross-site_request_forgery|CSRF]] protection //​(Cross-Site Request Forgery)//: a token is build for each form. To disable it, set '​​require Token for forms' ​to Off //(portal security parameters in the manager)//. Token timeout can be defined via manager (default to 120 seconds), +  * [[https://​en.wikipedia.org/​wiki/​Cross-site_request_forgery|CSRF]] protection //​(Cross-Site Request Forgery)//: a token is build for each form. To disable it, set '​​require Token for forms' ​to Off //(portal security parameters in the manager)//. Token timeout can be defined via manager (default to 120 seconds) 
-  * [[https://​en.wikipedia.org/​wiki/​Content_Security_Policy|Content-Security-Policy]] header: portal builds dynamically this header. You can modify default values in the manager //(Général ​parameters » Advanced parameters » Security » Content-Security-Policy)//​. +  * [[https://​en.wikipedia.org/​wiki/​Brute-force_attack|Brute-force attack]] protection: after some failed loginsuser must wait before re-try to log into Portal 
-  * [[https://​en.wikipedia.org/​wiki/​Brute-force_attack|Brute-force attack]] protectionafter some failed loginsuser must wait before re-try to log into Portal.+  * [[https://​en.wikipedia.org/​wiki/​Content_Security_Policy|Content-Security-Policy]] header: portal builds dynamically this header. You can modify default values in the manager //(General ​parameters » Advanced parameters » Security » Content-Security-Policy)//​ 
 +  * [[https://​en.wikipedia.org/​wiki/​Cross-origin_resource_sharing|Cross-Origin Resource Sharing]] headersCORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin imagesstylesheets,​ scripts, iframes, and videos. Certain "cross-domain"​ requests, notably Ajax requests, are forbidden by default by the same-origin security policyYou can modify default values in the manager //(General parameters » Advanced parameters » Security » Cross-Origin Resource Sharing)//
  
 <note important>​ <note important>​
Line 153: Line 154:
   * **Username control**: Regular expression used to check user login syntax.   * **Username control**: Regular expression used to check user login syntax.
   * **Force authentication**:​ set to '​On'​ to force authentication when user connects to portal, even if he has a valid session.   * **Force authentication**:​ set to '​On'​ to force authentication when user connects to portal, even if he has a valid session.
-  * **Force authentication interval**: time interval (in seconds) when authentication renewal cannot be forced, used to prevent to loose the current authentication during the main process. If you experience slow network performances,​ you can increase this value.+  * **Force authentication interval**: time interval (in seconds) when an authentication renewal cannot be forced, used to prevent to loose the current authentication during the main process. If you experience slow network performances,​ you can increase this value.
   * **Encryption key**: key used to crypt some data, should not be known by other applications   * **Encryption key**: key used to crypt some data, should not be known by other applications
-  * **Trusted domains**: domains on which the user can be redirected after login on portal. ​Set '​*'​ to accept all.+  * **Trusted domains**: domains on which the user can be redirected after login on portal. 
 +    * Example: ​''​myapp.example.com .subdomain.example.com''​ 
 +    ​* ''​*''​ allows redirections ​to any external domain (DANGEROUS)
   * **Use Safe jail**: set to '​Off'​ to disable Safe jail. Safe module is used to eval expressions in headers, rules, etc. Disabling it can lead to security issues.   * **Use Safe jail**: set to '​Off'​ to disable Safe jail. Safe module is used to eval expressions in headers, rules, etc. Disabling it can lead to security issues.
   * **Check XSS Attacks**: Set to '​Off'​ to disable XSS checks. XSS checks will still be done with warning in logs, but this will not prevent the process to continue.   * **Check XSS Attacks**: Set to '​Off'​ to disable XSS checks. XSS checks will still be done with warning in logs, but this will not prevent the process to continue.
   * **Brute-Force Attack protection**:​ set to '​On'​ to enable it. The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user. If it is disabled, automated tools may submit thousands of password attempts in a matter of seconds, making it easy for an attacker to beat a password-based authentication system.   * **Brute-Force Attack protection**:​ set to '​On'​ to enable it. The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user. If it is disabled, automated tools may submit thousands of password attempts in a matter of seconds, making it easy for an attacker to beat a password-based authentication system.
-  * **LWP::​UserAgent and SSL options**: insert here options to pass to LWP::​UserAgent object (used by SAML or OpenID-Connect to query partners). Example: ''​verify_hostname => 0'',​ ''​SSL_verify_mode => 0''​ 
-  * **Content Security Policy**: ​ Portal builds dynamically this header. You can modify default values. Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn'​t block the redirects whereas Chrome does). Administrators may have to modify formAction value with wildcard likes *. 
   * **Required token for forms**: To prevent CSRF attack, a token is build for each form. To disable it, set this parameter to '​Off'​ or set a special rule   * **Required token for forms**: To prevent CSRF attack, a token is build for each form. To disable it, set this parameter to '​Off'​ or set a special rule
   * **Form timeout**: Form token timeout (default to 120 seconds)   * **Form timeout**: Form token timeout (default to 120 seconds)
   * **Use global storage**: Local cache is used by default for one time tokens. To use global storage, set it to '​On'​   * **Use global storage**: Local cache is used by default for one time tokens. To use global storage, set it to '​On'​
 +  * **LWP::​UserAgent and SSL options**: insert here options to pass to LWP::​UserAgent object (used by SAML or OpenID-Connect to query partners). Example: ''​verify_hostname => 0'',​ ''​SSL_verify_mode => 0''​
 +  * **Content Security Policy**: ​ Portal builds dynamically this header. You can modify default values. Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn'​t block the redirects whereas Chrome does). Administrators may have to modify ''​formAction''​ value with wildcard likes *.
 +  * **Cross-Origin Resource Sharing**: ​ Portal builds those headers. You can modify default values. Administrators may have to modify ''​Access-Control-Allow-Origin''​ value with ' '.
  
 <note important>​If URLs are protected with AuthBasic handler, you have to disable CSRF token by setting a special rule based on callers IP address like this : <note important>​If URLs are protected with AuthBasic handler, you have to disable CSRF token by setting a special rule based on callers IP address like this :