Tag
Support: Protection
All support articles tagged with Protection.

Security Best Practices for Authoh

SecurityRecommendationsSecurityBest PracticesProtection

Security Best Practices for Authoh

Proper security configuration is essential for protecting your authentication infrastructure and user data. This guide covers recommended security practices for your Authoh implementation.

Account Security

Enable Multi-Factor Authentication (MFA)

Require MFA for all administrators and team members:

  1. Go to Dashboard > Organization > Security
  2. Enable Require MFA for all organization members
  3. Choose which MFA methods to allow:
    • Authenticator apps (recommended)
    • SMS verification
    • Email codes
    • WebAuthn/security keys (most secure)

Implement Strong Password Policies

Enforce strong passwords for your users:

  1. Navigate to Dashboard > Security > Password Policy
  2. Configure the following settings:
    • Minimum password length: 12 characters (recommended)
    • Require uppercase, lowercase, numbers, and special characters
    • Enable dictionary-based weak password detection
    • Set password expiration (if required by your security policy)
    • Prevent password reuse

Manage API Keys Securely

Protect your API keys and secrets:

  1. Use separate API keys for different environments (development, staging, production)
  2. Rotate API keys regularly (at least every 90 days)
  3. Never commit API keys to source code repositories
  4. Use environment variables or secrets management solutions
  5. Enable key rotation notifications

Example secure API key storage:

// INCORRECT - Keys in source code
const authohClient = new AuthohClient({
  clientId: 'abc123456789',
  clientSecret: 'verysecretvalue'
});

// CORRECT - Keys in environment variables
const authohClient = new AuthohClient({
  clientId: process.env.AUTHOH_CLIENT_ID,
  clientSecret: process.env.AUTHOH_CLIENT_SECRET
});

Application Configuration

Enable CORS Protection

Properly configure CORS to prevent cross-site attacks:

  1. Go to Dashboard > Applications > Your App > Settings > CORS
  2. Add specific origins instead of using wildcards
  3. Only allow necessary HTTP methods
  4. Configure appropriate caching directives
// Example of secure CORS configuration
const corsOptions = {
  origin: ['https://yourdomain.com', 'https://app.yourdomain.com'],
  methods: ['GET', 'POST'],
  allowedHeaders: ['Authorization', 'Content-Type'],
  maxAge: 86400
};

Implement Proper Token Handling

Secure your JWT tokens:

  1. Use short expiration times for access tokens (15-60 minutes)
  2. Configure refresh token rotation
  3. Use HttpOnly, secure cookies for web applications
  4. Implement token validation on all protected endpoints

Example secure token storage in a web application:

// INCORRECT - Storing tokens in localStorage
localStorage.setItem('access_token', accessToken);

// CORRECT - Using cookies with proper flags
document.cookie = `access_token=${accessToken}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`;

Configure Callback URLs

Limit redirect URLs to prevent open redirect vulnerabilities:

  1. Go to Dashboard > Applications > Your App > Settings > URLs
  2. Add only specific callback/redirect URLs
  3. Avoid using wildcards or patterns that could be exploited

Infrastructure Security

IP Allowlisting

Restrict dashboard access by IP (for enterprise plans):

  1. Navigate to Dashboard > Organization > Security > Network
  2. Enable IP allowlisting
  3. Add the IP ranges that should have dashboard access
  4. Save your configuration

Regular Security Scanning

Implement regular security checks:

  1. Enable Security Scanning in your dashboard
  2. Schedule automated vulnerability assessments
  3. Review security notifications promptly
  4. Address identified vulnerabilities

Enable Logging and Monitoring

Set up comprehensive logging:

  1. Go to Dashboard > Monitoring > Logs
  2. Configure log retention periods
  3. Enable alert notifications for suspicious activities:
    • Failed login attempts
    • Unusual location logins
    • Admin account changes
    • API key usage from new locations

Data Protection

Protect sensitive user data:

  1. Enable Field Encryption for sensitive user metadata
  2. Configure data retention policies
  3. Implement proper GDPR controls
  4. Use pseudonymization where appropriate

Advanced Security Features

Implement Rate Limiting

Protect against brute force and denial-of-service attacks:

  1. Go to Dashboard > Security > Rate Limiting
  2. Enable rate limiting for login and registration endpoints
  3. Configure appropriate thresholds:
    • Login attempts: 5-10 per minute per IP
    • Registration: 3-5 per hour per IP
    • Password reset: 3 per hour per user/IP
// Example rate limiting configuration
{
  "endpoints": {
    "/api/auth/login": {
      "limit": 5,
      "window": "1m"
    },
    "/api/auth/register": {
      "limit": 3,
      "window": "1h"
    }
  },
  "defaultAction": "block"
}

Implement Brute Force Protection

Prevent automated password guessing:

  1. Navigate to Dashboard > Security > Brute Force Protection
  2. Enable account lockout after consecutive failed attempts
  3. Configure lockout duration and reset conditions
  4. Set up notification alerts for locked accounts

Bot Protection

Protect authentication endpoints from bots:

  1. Go to Dashboard > Security > Bot Protection
  2. Enable CAPTCHA for suspicious login attempts
  3. Configure browser fingerprinting
  4. Enable machine learning-based detection (Enterprise plan)

Security Response Plan

Incident Response

Prepare for security incidents:

  1. Document your incident response plan
  2. Identify team members responsible for security incidents
  3. Configure security alerts to appropriate channels (email, Slack, etc.)
  4. Practice your response plan regularly

User Communication

Plan for security communications:

  1. Prepare email templates for security incidents
  2. Configure your notification settings in Dashboard > Organization > Notifications
  3. Document your process for notifying affected users

Security Contact

Establish security contacts:

  1. Set up a security@ email address for vulnerability reports
  2. Consider implementing a bug bounty program
  3. Designate security contacts in your organization

Compliance Considerations

Regulatory Compliance

Configure necessary compliance settings:

  1. Go to Dashboard > Compliance
  2. Enable applicable regulations:
    • GDPR (European Union)
    • CCPA/CPRA (California)
    • HIPAA (Healthcare - US)
    • SOX (Financial - US)
    • LGPD (Brazil)
  3. Configure data residency settings if needed

Audit Logging

Maintain comprehensive audit logs:

  1. Navigate to Dashboard > Monitoring > Audit Logs
  2. Configure log retention periods according to compliance requirements
  3. Set up log export to your SIEM system if needed
  4. Enable logging for all security-critical events

Regular Security Maintenance

Update Frequently

Keep your Authoh instance updated:

  1. For cloud users: Updates are applied automatically
  2. For self-hosted: Subscribe to security bulletins and apply updates promptly
  3. Review release notes for security-related changes

Regular Security Reviews

Schedule periodic security reviews:

  1. Conduct quarterly reviews of your Authoh security settings
  2. Review user access rights and remove unused accounts
  3. Update security policies based on changing requirements
  4. Consider external security assessments annually

Security Resources

For more information about securing your Authoh implementation:

If you discover a security vulnerability, please report it immediately to security@authoh.com or through our security vulnerability form.

Read more