Self Service Password Reset provides different security settings for the security of the users’ information and passwords it manages. Ensure that you configure the security for Self Service Password Reset because it manages your users’ credentials.
The following settings help increase the security for Self Service Password Reset.
To configure the security settings:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Security > Application.
Configure the following settings:
The system uses a security key for tokens and other crypto functions. This setting is applicable if you have configured Crypto Token Storage Method.
You must set a random security value for the tokens to function.
Select Set Password to configure. This value must be at least 32 characters. The longer and more random this value, the more secure it is. If multiple instances are in use, you should configure each instance with the same value.
If you set this option to true, the system uses its reverse DNS to record the hostname of the client. In some cases, this can cause performance issues so you can disable it if it is not required.
Select this option to show detailed error messages. This setting is useful for administrators especially during configuration.
The maximum duration of a session (in seconds). Having a maximum session lifetime prevents certain types of long-term session fixation attacks.
In the toolbar, click Save changes.
Use the following setting to help increase the security for the web communications.
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Security > Web Security.
Configure the following settings:
Select this option to detect the use of the back button or other browser navigation irregularities. This option prevents duplicate HTTP form submissions.
Select this option to ask for a form nonce (a unique key) for each form in Self Service Password Reset to prevent certain types of cross-site scripting (XSS) attacks.
If you enable this option, browser sessions are verified using an HTTP redirect and verification code. This verification proves that the browser can correctly establish a session with the server. Verification proves the browser either supports cookies or URL sessions (if enabled) and the communication channel between browser and application server is 'sticky' when there are multiple server instances. Additionally, it helps prevent some types of XSS attacks.
The pre-load browser cache shows a “please wait” screen to the user during the verification. This has the added benefit that many of the HTTP resources (Javascript, CSS, images, and so forth) are “pre-cached” by the browser before any actual pages are loaded.
Specify the input value. If any input value (on any HTTP parameter) matches these patterns, the matching portion is stripped from the input.
Enable this option to require HTTPS (instead of cleartext HTTP) traffic to the Self Service Password Reset server. While non-secure connections are useful during testing, production servers must always have this setting enabled. By default, this setting is disabled to simplify the configuration of Self Service Password Reset.
Use the X-Forwarded-For HTTP header value as the client IP address instead of the source IP address of the HTTP connection. X-Forwarded-For header is typically added by upstream proxies or firewalls and is a reliable way to identify the user's source IP address.
Select this check box to allow a single HTTP session to be accessed from different source IP addresses. Some load balancing and proxy network infrastructures need this setting, but in most cases, you must deselect this option.
Specify the required HTTP header name and value pairs. If specified, any HTTP request sent to the server must have these headers. This feature is useful if you have a security gateway and want to allow sessions from the gateway.
The format of this setting must be name=value.
Specify the IP address ranges that permits only the connections that originated from those addresses. If you do no specify a value, the system permits any source address.
When a user navigates away from any page, the server receives a notice. The next time a user requests a page, the system checks the timeout to determine if the last page leave time was greater than the timeout and if so, the system invalidates the user's session. This has the effect of logging out users that navigate away from the application without explicitly logging out. Specify 0 to disable this feature.
Deselect this option to allow users to view Self Service Password Reset in an inline frame for any application that includes the iFrame HTML source code.
If you select this option, the specified iFrame does not include Self Service Password Reset for the application.
Specify the list of URL fragments. These URL fragments are allowed for URL forwarding. In an application, you can provide a link to redirect the user to a particular web page with the URL fragment that is defined in the whitelist. The URL forwarding follows the criteria of:
The forwarding URL from a web page must match the complete URL fragment that is listed in the whitelist.
The forwarding URL is decoded and processed before it is matched against the whitelist.
The forwarding URL must have the fragment with the same spelling, wildcards, and case, as it is mentioned in the URL fragments listed in the whitelist.
If a fragment has the prefix regex, the remaining part of the fragment is treated as a regular expression and it must match the entire URL.
Set the HTTP Content-Security-Policy header. This header instructs the browser to limit the locations from which it loads fonts, scripts, and CSS files.
In the toolbar, click Save changes.