Security options in Continuum CMS
Several security features are provided in Continuum CMS to enable you to make your environment more secure.
Trusted IP addresses
Prevent users from logging into Continuum CMS from their home computer by setting their access privileges to only allow logins from trusted IP addresses. You will need to set
true and populate
TRUSTED_IP_ADDRESSES with a comma separated list of trusted IP addresses to make the feature available. You can then select whether a user is only allowed to access from the trusted IP range, or external to your organization by enabling the feature on a user's profile.
Prevent concurrent logins
You can configure Continuum CMS so that only one session can exist for a particular user at any one time. This prevents an attacker logging into an account from a different machine while a user is active. To enable this feature, set
To enable this feature for public users, set
Prevent brute force attacks
If an attacker is able to access a login page multiple times with automated software they can use username enumeration to discover valid access credentials on your system. You can mitigate the risk of this by limiting the rate at which a user can repeatedly request and complete the login page with incorrect details.
reCAPTCHA is used to ensure that bots always fail to provide correct details. To enable this feature, To enable this feature, navigate to "Google reCAPTCHA" section in Utilities > Integrations module, enable reCAPTCHA by setting appropriate version, public_key and private_key provided by Google reCaptcha site in the fields provided.
Set the constant
true in the set constants page.
Once the integration is enabled and the rate limit constant is set, when the user tries to login to jadu control center with 10 or more invalid attempts, reCaptcha should be prompted in the login screen.
It is good security practice to force users to regularly change their password. Continuum CMS will force users to change their password after a set number of days. The default value is 30 days. This can be configured for your organization by setting the value of
It is good security practice to expire the session when the user is idle for long time. Continuum CMS has the default session expiry time set to 15 minutes. This can be configured for your organization by setting the value of
It is good practice to prevent admins from reusing old passwords when they have been prompted to change their password after expiry. You can configure the number of old passwords to check for reuse by setting the value of
Password validation policy
Continuum CMS is configured with a standard password validation policy, but this can be made more secure inline with your internal security policies by changing
PASSWORD_VALIDATION_PATTERN to a regular expression of your choice. Remember to also update
PASSWORD_VALIDATION_MESSAGE to give your administrators appropriate help when selecting a password.
Force passwords to be changed after being set by another user
A password should only be known by the owner of the credentials. It is therefore good practice to force a password to be changed after the users account is created. This feature is enabled by default. It can be disabled by setting
Force the site over HTTPS
Continuum CMS can force connections to be made over HTTPS rather than HTTP. Anyone trying to access a page over HTTP will be redirected to the same page under HTTPS protocol. To enable this feature over the entire website, set
true. To enable this feature just for the control center, set
true. The maximum age for Strict-Transport-Policy headers is set by
HSTS_MAX_AGE, the default value is 2592000.
It may on occasion be necessary to prevent users from logging into the control center, such as when a patch is being applied. On these occasions you can set
Send a password reset email
To prevent the system generating a new password when a user has forgotten their password, set
true and a link to reset the password will be emailed instead.