Navigation

    FusionAuth
    • Login
    • Search
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    1. Home
    2. Tags
    3. security
    Log in to post
    • All categories
    • B

      Does fusion auth supports es256k header for secp256k1 curve keys?
      General Discussion • security jwt verification es256k secp256k1 • • benjamineroommen

      1
      0
      Votes
      1
      Posts
      14
      Views

      No one has replied

    • dan

      Email verification security hole?
      Q&A • email verification security • • dan

      2
      0
      Votes
      2
      Posts
      195
      Views

      dan

      If you are using email verification, you can check this user state within your own app. (So, don't allow the attacker to access anything until their email address has been verified.)

      In version 1.27.0 you can configure a gated login flow when the user is not verified (this is a 'reactor' feature requiring a paid license). This will enforce email verification before we even redirect to your app. You can then also configure FusionAuth to delete users after N number of days if the user has not verified their email address. This can assist with build up of accounts that are not actually in use.

    • dan

      Security and PKCE
      Q&A • pkce security proxy • • dan

      2
      0
      Votes
      2
      Posts
      424
      Views

      dan

      Hiya,

      PKCE is great and should be used if supported. This helps prevent authorization code replay attacks, as recommended here: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#page-6

      Using a proxy and storing the access token on server side rather than javascript solves a different set of security concerns. Because access tokens are typically bearer tokens and are not sender constrained, anyone who gets them has access to whatever they grant access to.

      This means that if your javascript has access to the token, so does any other javascript running on your page. If you are comfortable with that (you've audited all the javascript in all the libraries, and their dependencies to ensure that there's no security issues) then storing the access token may be ok.

      Since that level of comfort with javascript libraries is not typical (do you know what is going on in the dependencies of your dependencies? many folks don't), we recommend one of two approaches:

      store the access token server side, and use the session to tie the client to the access token (what our blog posts typically do) store the access token in a secure, httponly cookie, so that it is not accessible to javascript, but is sent to any APIs. That's more fully fleshed out here: https://fusionauth.io/learn/expert-advice/authentication/spa/oauth-authorization-code-grant-jwts-refresh-tokens-cookies/

      Of course, you alone know your security posture and what you're comfortable with, but that's what we recommend.

    • dan

      FusionAuth support for old releases
      Q&A • security versions old releases releases • • dan

      2
      0
      Votes
      2
      Posts
      186
      Views

      dan

      Officially we don’t require anyone to upgrade. However, generally speaking we don’t back port patches, this means if you need a fix you’ll have to upgrade to get it. There are a lot of good reasons to keep a security product up to date.

      But when you pay for an edition of FusionAuth that includes support, you can run whatever version you want (more or less).

    • dan

      What kind of security and attack mitigation features does FusionAuth have?
      Q&A • security mitigation • • dan

      2
      0
      Votes
      2
      Posts
      186
      Views

      dan

      We have Breached Password Detection (in the paid edition) as well as brute-force login detection.

      We have some other related features on the roadmap for 2020.

    • dan

      Notification of changes to FusionAuth
      Q&A • changes notification security • • dan

      3
      0
      Votes
      3
      Posts
      202
      Views

      dan

      If you'd like APIs to automatically log to the audit log, without additional calls to the Audit Log API, please vote for this issue: https://github.com/FusionAuth/fusionauth-issues/issues/507

    • dan

      What sort of telemetry can FusionAuth provide for potentially suspicious logins, credential attacks, and other security related events?
      Q&A • security telemetry • • dan

      4
      0
      Votes
      4
      Posts
      264
      Views

      dan

      This may be useful if what you are trying to extract is in ElasticSearch (user data): https://elastalert.readthedocs.io/en/latest/

      Doesn't help with other aspects of the system, but I believe we have some features planned.

    • dan

      How can I protect my elasticsearch instances?
      Q&A • elastic elasticsearch security • • dan

      2
      0
      Votes
      2
      Posts
      276
      Views

      dan

      There are a few ways to do this.

      This assumes that you are running elasticsearch on a different server than you are running the fusionauth instances. If they are on the same server, you should be fine, as that is the default configuration.

      The first is at the network level, using a firewall or something like security groups on AWS. If you are doing this, you can configure the server that elasticsearch is installed on to accept requests only from the server that FusionAuth is installed on.

      The second is to use basic authentication. That is, set fusionauth-search.servers in the fusionauth.properties file, or the FUSIONAUTH_SEARCH_SERVERS environment variable to include the basic username and password. https://user:password@example.com. And make sure to set up elastic to use basic auth, using whatever authentication source you'd like. (You could even go meta and have elasticsearch auth the user against the fusionauth instance 🙂 ).

      Further discussion here.

    • dan

      SOLVED How can I protect the FusionAuth admin screens from unauthorized access?
      Q&A • admin ui security • • dan

      2
      0
      Votes
      2
      Posts
      206
      Views

      dan

      The way most of our clients handle this is by using proxy redirect rules. For example, if your service is available at https://auth.example.com then you would redirect https://auth.example.com/ to https://example.com to push the user back into the "user" space of your site. This would mean that if you have a FusionAuth admin, they would need to directly access the UI by navigating to https://auth.example.com/admin/.

      If you're already using a load balancer or a similar technology that provides routing rules, these are easy to configure.

      You can also use managed IP locking (limiting access to a certain set of IP addresses), or some other type of HTTP header on the request to limit access to the FusionAuth admin UI to authorized users and treat all other traffic to anything under /admin for end users as an invalid request. These types of solutions are best handled at the network layer or with a proxy.

    • S

      UNSOLVED Is it sefe to get access to GET /api/jwt/refresh?userId={userId} method?
      Q&A • security jwt • • szwejkc

      2
      0
      Votes
      2
      Posts
      188
      Views

      dan

      Hiya,

      When you say

      Everybody can see authorization key.

      Who do you mean? Do you mean anyone with access to the FusionAuth admin console? Or some other set of users?

    • dan

      Is there any way to blacklist IPs?
      Q&A • networking security blacklist faq • • dan

      2
      0
      Votes
      2
      Posts
      316
      Views

      dan

      Not currently. We've discussed it and haven't ruled it out.

      However there are so many products, both free and commercial, that do this well.

      You can always put a firewall on the server that FusionAuth is running or put a proxy in front of it.