By combining these approaches, you can enhance the security of your FusionAuth deployment and mitigate unauthorized access.

By combining these approaches, you can enhance the security of your FusionAuth deployment and mitigate unauthorized access.

I'm not sure what you mean? Are you talking about the JWT generated for a login event?

In version 1.27.0 you can configure a gated login flow when the user is not verified (this is a 'reactor' feature requiring a paid license). This will enforce email verification before we even redirect to your app. You can then also configure FusionAuth to delete users after N number of days if the user has not verified their email address. This can assist with build up of accounts that are not actually in use.

PKCE is great and should be used if supported. This helps prevent authorization code replay attacks, as recommended here: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#page-6

Using a proxy and storing the access token on server side rather than javascript solves a different set of security concerns. Because access tokens are typically bearer tokens and are not sender constrained, anyone who gets them has access to whatever they grant access to.

This means that if your javascript has access to the token, so does any other javascript running on your page. If you are comfortable with that (you've audited all the javascript in all the libraries, and their dependencies to ensure that there's no security issues) then storing the access token may be ok.

Since that level of comfort with javascript libraries is not typical (do you know what is going on in the dependencies of your dependencies? many folks don't), we recommend one of two approaches:

Of course, you alone know your security posture and what you're comfortable with, but that's what we recommend.

But when you pay for an edition of FusionAuth that includes support, you can run whatever version you want (more or less).

We have some other related features on the roadmap for 2020.

Doesn't help with other aspects of the system, but I believe we have some features planned.

This assumes that you are running elasticsearch on a different server than you are running the fusionauth instances. If they are on the same server, you should be fine, as that is the default configuration.

The first is at the network level, using a firewall or something like security groups on AWS. If you are doing this, you can configure the server that elasticsearch is installed on to accept requests only from the server that FusionAuth is installed on.

The second is to use basic authentication. That is, set fusionauth-search.servers in the fusionauth.properties file, or the FUSIONAUTH_SEARCH_SERVERS environment variable to include the basic username and password. https://user:password@example.com. And make sure to set up elastic to use basic auth, using whatever authentication source you'd like. (You could even go meta and have elasticsearch auth the user against the fusionauth instance 🙂 ).

Further discussion here.

If you're already using a load balancer or a similar technology that provides routing rules, these are easy to configure.

You can also use managed IP locking (limiting access to a certain set of IP addresses), or some other type of HTTP header on the request to limit access to the FusionAuth admin UI to authorized users and treat all other traffic to anything under /admin for end users as an invalid request. These types of solutions are best handled at the network layer or with a proxy.

When you say

Everybody can see authorization key.

Who do you mean? Do you mean anyone with access to the FusionAuth admin console? Or some other set of users?

However there are so many products, both free and commercial, that do this well.

You can always put a firewall on the server that FusionAuth is running or put a proxy in front of it.