The following series of options in the Security section allow you to either enhance or reduce the security of your Issuetrak site. It is important to note that some of these enhancements may reduce the functionality of the browser, causing potential inconveniences to your users. Additionally, two of these options will result in reduced security and should only be enabled with care.
Want to find out about security as it relates to the deployment of Issuetrak? Read the Security in Issuetrak article instead.
Defining Site Security
To change your system's security options:
- Click the gear icon in the upper right > click on Security beneath System.
- Make the desired selections and then click the Update button.
The following options increase site security:
- Tell browsers not to cache page data was an option in previous versions that was removed in Issuetrak 15.1 and above. See the next bulleted item down for more information about this option for 15.1+. This disabled the caching functions on data entry pages within Issuetrak. This measure is designed to prevent hackers from potentially gaining access to sensitive information through a specific workstation or other common access points. However, this results in potential inconveniences for your user base, primarily in that the Back button of the browser may not return the user to the previously viewed page and could also empty the data entry fields on the page they are on.
- Page Data Caching - If you had the option above enabled prior to upgrading to Issuetrak 15.1, then no further action is needed on your part to keep this functionality. But if you did not have this option enabled prior to upgrading to 15.1, you will need to enable a new URL rewrite rule in IIS. The rewrite rule is called "Set Cache-Control Response Header" and it can be found in the Outbound Rules.
- Protect this site from Cross-Site Request Forgery (CSRF) attacks adds additional security layers to your site that help prevent hackers from potentially gaining access to sensitive information and/or executing malicious functions through Cross-Site Request Forgery attacks. This option comes with a number of potential inconveniences to your users, including additional steps needing to be taken to perform certain behaviors.
- Users will not be able to access any shortcut or direct link to a specific page within your Issuetrak site (such as an Issue record, Project record, KB Article, Report, etc.) that is not specifically embedded with a system-generated Synchronizer Token Pattern.
- Users will not be able to access any shortcut or direct link to a specific page within your Issuetrak website that has been copied and pasted directly from a browser's address bar into any other location inside or outside of Issuetrak (such as into another Issue record, Project record, KB Article, personal email message, desktop shortcut, etc.).
- Users will be required to generate a Safe URL using the (Create Safe URL) function found in the top bar of your Issuetrak interface each time they need to paste a link to a specific page within Issuetrak into any other location inside or outside of Issuetrak.
- Significantly lengthens the general URL displayed in a browser's address bar for every individual page within your Issuetrak site.
- Significantly increases the number of characters involved in a Safe link to specific pages within your Issuetrak site which may potentially exceed the amount of available space or maximum character limit allowed in certain locations inside or outside of Issuetrak.
- Prevent Log In screen from displaying when users log out - When toggled on, Issuetrak will display a screen offering users a "Log in again" button when they log out. When toggled off, Issuetrak will display the site's login screen when a user logs out.
For more details on this type of attack, please see the OWASP's Cross Site Request Forgery (CSRF) page.
The following options reduce site security:
- Allow more than one person to be logged in with a single end-user account at the same time will allow multiple users or browsers to log in using the same end-user account, agent accounts cannot be made to allow multiple simultaneous logins.
- Close All Sessions effectively kicks all users out of the site and forces them to the login screen to re-authenticate.