From 47e3f35138bd056337f80c122a66413b16d069c8 Mon Sep 17 00:00:00 2001 From: Magdalena Dziadosz <35031941+MagdalenaZuba@users.noreply.github.com> Date: Wed, 23 Aug 2023 11:42:24 +0200 Subject: [PATCH] Add timeouts info to security checklist (#2108) - fix --- docs/guide/security_checklist.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/docs/guide/security_checklist.md b/docs/guide/security_checklist.md index 26fdd9a8e4..aaf3d69fdf 100644 --- a/docs/guide/security_checklist.md +++ b/docs/guide/security_checklist.md @@ -91,18 +91,12 @@ and any other application-specific secrets. Consider introducing a measure against brute force login attacks, like CAPTCHA. Adjust timeout limits to your needs: When using the "forgot password" feature, a token is created which expires if the user doesn't click the password reset -link that gets mailed to them in time. The time before it expires is set in the parameter -`ibexa.site_access.config.default.security.token_interval_spec`. By nature this feature must be available to users +link that gets mailed to them in time. The time before it expires is set in the configuration parameter +`ezsettings.default.security.token_interval_spec`. By nature this feature must be available to users before they have logged in, including would-be attackers. If an attacker uses this feature with someone else's email address, the attacker does not receive the email. But they could still try to guess the password reset link. That's why this interval should be as short as possible. 5 minutes is often enough. -Ibexa DXP allows you to create and send invitations to create an account in the frontend as a customer, the Back Office -as an employee, or the Corporate Portal as a business partner. You can send invitations to individual users or in -bulk. These invitations time out according to the parameter -`ibexa.site_access.config.default.user_invitation.hash_expiration_time`. This can safely be longer than the "forgot password" time, -since attackers cannot generate invitations. Don't leave it longer than it needs to be, though. - These timeouts are both entered as [PHP DateInterval duration strings](https://www.php.net/manual/en/dateinterval.construct.php). The forgot password feature defaults to "PT1H" (one hour). The account invitation feature defaults to "P7D" (seven days).