Security Checklist¶
Use the following list to ensure your organizations are secure in a production environment.
Authentication¶
To ensure the authentication is properly configured in your organizations:
- (Recommended) Configure strong authentication for Asgardeo administrator users. Learn more
- Configure strong authentication for your business applications based on the application's sensitivity. Learn more
Account Security¶
To ensure the accounts are securely configured in your organizations:
- Enable account lock to prevent brute force attacks.
- When updating email templates, follow best practices related to
HTML
. - Disable preview features provided by asgardeo.
Application and connection security¶
To ensure the applications and connections are securely configured in your organizations:
-
Securely store secrets and allow only authorized users to access secrets. The secrets that should be secured are:
- OIDC client secret
- IDPs-related secrets
- User store agent secret
-
Manage and maintain certificates (IDPs and Applications)
- Key length
- Expiry time
- Revocation
- Renew
- Different certificates for different use cases
-
Configure the expiry time of the following based on business requirements
- Access token
- Refresh token
- ID token
- Email OTP
-
When requesting access tokens, use the specified scopes required for the specific task. Use the principle of least privilege.