8.9 Configuring Self Service Password Reset Security Settings

To configure Application security:

1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

2. In the toolbar, click your name.

3. Click Configuration Editor.

4. Click Settings > Security > Application Security.

5. Configure the following Application Security settings:

   Field	Description
   Security Key	Specify a Security Key used for cryptographic functions such as token verification. SSPR requires a value if you enabled tokens for any of the modules and configured a token storage method. SSPR uses this value similar to how a cryptographic security certificate uses the private key. If configured, this value must be at least 32 characters in length. The longer and more random this value, the more secure its uses are. If multiple instances of these values are in use, you must configure each instance with the same value. Upon initial setup, SSPR assigns a random security key to this value that you can change at any time. However, any outstanding tokens or other material generated by an old security key becomes invalid.
   Enable Reverse DNS	Enable this option for SSPR to use its reverse DNS system to record the hostname of the client. In some cases, this might cause performance issues, so you can disable this option if you are not using it.
   Show Detailed Error Messages	Enable this option to display detailed error messages. Although this information is useful for the administrators during configuration, this detailed information might be confusing and pose a security hazard in some cases. SSPR ignores this setting until you close the Configuration Guide.
   Maximum Session Duration	Specify the maximum duration of a session (in seconds). Having a maximum session lifetime prevents certain types of long-term session fixation attacks. The default value is set to 28800 seconds.
   Certificate Validation Mode	Specify how SSPR validates outbound SSL/TLS certificate. Specify one of the following validation modes: Entire Certificate Chain Root Certificate Only

6. In the toolbar, click Save changes.

To configure Web security:

1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

2. In the toolbar, click your name.

3. Click Configuration Editor.

4. Click Settings > Security > Web Security.

5. Configure the following Web Security settings:

   Field	Description
   Enable Form Nonce	Enable this option to request a nonce (or unique key) for each form to prevent certain types of cross-site scripting (XSS) attacks.
   Sticky Session Verification	Enable this option to verify browser sessions using an HTTP redirect and verification code. This verification confirms that the browser can correctly establish a session with the server. Verification also confirms that the browser either supports cookies or URL sessions (if enabled). The communication channel between the browser and application server is 'sticky' when there are multiple server instances. Additionally, it helps prevent some types of XSS attacks. The pre-loaded browser cache displays a please wait screen to the user during the verification. This has the added benefit that the browser pre-caches many of the HTTP resources (JavaScript, CSS, images, and so forth) before it loads any actual pages.
   Disallowed HTTP Inputs	Specify the disallowed values. If any input values (on any HTTP parameter) match the disallowed value patterns, SSPR truncates the matching portion from the input.
   Use X-Forwarded-For Header	If present, use the X-Forwarded-For HTTP header value as the client IP address instead of the HTTP connection source. Typically, upstream proxies add X-Forwarded-For headers or firewalls and might be the only reliable way to identify the user's source IP address.
   Allow Roaming Source Network Address	Enable this option to allow SSPR to access a single HTTP session from different source IP addresses. Some load balancing or proxy network infrastructures might require this, but it is recommended to disable it in most cases. Especially since typical sessions are very short, there is no practical reason for a user to access the same session from multiple client addresses.
   Required HTTP Headers	If specified, any HTTP/S request sent to this SSPR application server must include these headers. This feature is helpful if you have an upstream security gateway, proxy, or web server and want only to allow sessions from the gateway and deny direct access to this SSPR application server from clients. The settings must be in the name = value format. If the upstream security gateway, proxy, or web server is not set for these names/value headers, you will no longer be able to access this SSPR application server. NOTE:If the client you are using to access this server does not set the headers configured, this SSPR server will become inaccessible.
   Permitted IP Network Addresses	Enable this option to enable SSPR only to permit connections originating from the specified IP address ranges. If disabled (default), SSPR allows any source IP address. NOTE:Supported range specifications are: Full IPv4 address, such as 12.34.56.78. Full IPv6 address, such as 2001:18e8:3:171:218:8bff:fe2a:56a4. Partial IPv4 address, such as 12.34 (which matches any IP addres starting 12.34. IPv4 network/netmask, such as 18.25.0.0/255.255.0.0. IPv4 or IPv6 CIDR slash notation, such as 18.25.0.0/16 or 2001:18e8:3:171::/64.
   Page Leave Notice Timeout	Specify a timeout period to determine when a user navigates away from any page. Based on this, the browser sends a notice to the server. The next time the browser requests a page, SSPR checks the timeout to determine if the last page leave time was greater than the timeout, and if so, it invalidates the user's session. This has the effect of logging out the users that navigate away from SSPR without explicitly logging out. You can disable this feature by setting the time limit to 0. If set to zero, you disable this feature.
   Prevent HTML Framing	Enable this option to prevent browsers from displaying SSPR inside an IFrame. SSPR does this by setting the X-Frame-Options HTTP Header to DENY on all pages.
   Redirect Whitelist	Specify a list of partial URL fragments. Any attempt to set the forward URL or logout URL via request parameter must match a URL fragment listed here: SSPR attempts to match each item from the beginning of the requested URL string. SSPR decodes and parses the redirect URL before checking it against the whitelist. If an error occurs when setting a redirect URL, set the debug logs to TRACE and watch the output as the error occurs. SSPR does not permit wildcards or case mismatches, and the values must match exactly. If a fragment has the prefix regex, SSPR treats the remainder of the fragment as a regular expression. Regular expression matches must match the entire URL.
   HTTP Content Security Policy Header	Set the HTTP Content-Security-Policy header. This header instructs the browser to limit the locations from which it loads fonts, scripts, and CSS files. If you need to change the CSP (Content Security Policy) for more restricted security, edit the default CSP by clicking the Edit icon , and change the CSP. Following is a suggested CSP with more security: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'self' 'unsafe-eval' 'unsafe-inline' 'nonce-%NONCE%' ; frame-src https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; base-uri 'self' ;
   HTTP Strict Transport Security	Set the HTTP strict transport security header. This header instructs the browser to use only HTTPS to access the website. Following is the default configuration: max-age=600; includeSubDomains.

6. In the toolbar, click Save changes.