3.9.8 Security Defenses

The Security Defenses section in ZTrust provides configuration options to enhance the security of your applications. This section is divided into two parts: HTTP Security Headers and Brute Force Detection.

Fig 3.9.8.a: Security Defenses, Security Defense Configuration

In the Headers tab, within the Security Defenses section, you'll find the following settings.

1. HTTP Security Headers

In the Headers tab under Security Defenses, you can configure various HTTP response headers to improve your system’s security posture.

X-Frame-Options

It is an HTTP response header that allows administrators to control whether a page can be rendered within a frame, iframe, or any other object. It can have three values:

It can take 3 values -

• DENY

This header field instructs the browsers not to display the content in any frame

• SAMEORIGIN

This header field specifies that the content should not be displayed in any frame from a page with a different origin.

• ALLOW-FROM (followed by a serialized-origin)

This header field specifies that the content should not be displayed in any frame from a page with a top-level browsing context of a different origin than the specified one.

By default, ZTrust only sets up a same-origin policy for iframes.

For more information, go to X-Frame-Options

Content-Security-Policy

This setting is employed to secure applications in multiple ways, reducing the risk of content injection vulnerabilities.

It's the default value designed to prevent pages from being included by non-origin iframes.

Click on Content-Security-Policy for more information.

X-Content-Type-Options

This specifies the default value which prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type

You can go to X-Content-Type-Options for more information.

X-Robots-Tag

This configuration prevents pages from being indexed by search engines.

Click on X-Robots-Tag for more information.

X-XSS-Protection

This header adjusts the Cross-site Scripting (XSS) filter within your browser. When using the default browser settings, the browser will halt page rendering upon detecting an XSS attack.

Click on X-XSS-Protection for more information.

HTTP Strict Transport Security (HSTS)

This header instructs the browser to consistently utilize HTTPS.

Upon encountering this header, the browser will exclusively access the site via HTTPS for the duration specified (up to 1 year), encompassing subdomains as well.

Click on HTTP Strict Transport Security for more information.

Referrer Policy

Fig 3.9.8.b: Security Defenses, Refferrer policy

The Referrer Policy HTTP header determines the amount of referrer information to include with requests, as specified by the Referer header.

Click on Referrer Policy for more information.

Save

After making any modifications, click on Save to apply those changes into the system.

Revert

If you prefer not to finalize your alterations, click on Revert.

This action will discard all changes made.

Fig 3.9.8.c: Security Defenses, Select bruteforce mode

In the Security Defenses section, located within the Brute force detection tab, you can customize the lockout settings according to your preferences.

Fig 3.9.8.d: Security Defenses, Select bruteforce mode

Upon clicking Lockout permanently, you will be directed to the screen depicted below.

Fig 3.9.8.e: Security Defenses, Specify the section to configure bruteforce detection

Max Login Failures

This can be customized based on the organization standards.

It means the maximum failed login attempts allowed before triggering a wait period.

Quick Login Check Milliseconds

It can be modified as required.

This duration dictates the interval between consecutive failures; if shorter than the specified duration, it will lock the user.

Minimum Quick Login Wait

This can be modified as required.

It represents the waiting period or the duration the user must wait after a rapid login failure.

Fig 3.9.8.f: Security Defenses, Specify the time format

You can choose from the dropdown the required duration unit that you want to specify out of Seconds, Minutes, Hours, and Days.

Save

After making any modifications, click on Save to apply those changes into the system.

Revert

If you prefer not to finalize your alterations, click on Revert.

This action will discard all changes made.

Upon clicking Lockout temporarily, you will be redirected to the screen shown below.

Fig 3.9.8.g: Security Defenses, Select the configuration for bruteforce authnetication

Max Login Failures

This can be customized based on the organization standards.

It means the maximum failed login attempts allowed before triggering a wait period.

Wait Increment

This can also be customized to align with organizational standards.

It refers to the duration an user must wait before attempting to log in again after reaching the maximum failed login attempts.

Fig 3.9.8.h: Security Defenses, Specify the wait increment

You can adjust the dropdown to select the desired time unit, such as Minutes, Seconds, Hours, or Days, as required.

Max Wait

This feature can be adjusted to align with your organization's standards.

It denotes the maximum duration for which a user will be locked out.

Fig 3.9.8.i: Security Defenses, Specify the maximum wait time

You can adjust the dropdown to select the desired time unit, such as Minutes, Seconds, Hours, or Days, as required.

Failure Reset Time

This can be adjusted as required.

It refers to the time after which the Failure count will be reset to Zero.

Fig 3.9.8.j: Security Defenses, Specify the failure reset time

You can choose from the dropdown the required duration unit that you want to specify out of Seconds, Minutes, Hours, and Days.

Quick Login Check Milliseconds

It can be modified as required.

Fig 3.9.8.k: Security Defenses, Quick login check miliseconds

This duration dictates the interval between consecutive failures; if shorter than the specified duration, it will lock the user.

Minimum Quick Login Wait

This can be modified as required.

It represents the waiting period or the duration the user must wait after a rapid login failure.

Fig 3.9.8.l: Security Defenses, Select Minimum Quick Login Wait

You can choose from the dropdown the required duration unit that you want to specify out of Seconds, Minutes, Hours, and Days.

Save

After any changes are made, click on Save in order to get those changes incorporated.

Revert

If you prefer not to finalize your alterations, click on Revert.

This action will discard all changes made.

Upon clicking Lockout permanently after temporary lockout, you will be redirected to the screen shown below.

Fig 3.9.8.m: Security Defenses, Configure section to setup Brute-Force Authentication

Max Login Failures

This can be customized based on the organization standards.

It means the maximum failed login attempts allowed before triggering a wait period.

Maximum temporary lockouts

This indicates the maximum number of temporary lockouts allowed before the user is permanently locked out. You can adjust this setting according to your needs.

Wait Increment

This can also be customized to align with organizational standards.

It refers to the duration an user must wait before attempting to log in again after reaching the maximum failed login attempts.

Fig 3.9.8.n: Security Defenses, Setup wait increment

You can adjust the dropdown to select the desired time unit, such as Minutes, Seconds, Hours, or Days, as required.

Max Wait

This feature can be adjusted to align with your organization's standards.

It denotes the maximum duration for which a user will be locked out.

Fig 3.9.8.o: Security Defenses, Setup maximum wait time

You can adjust the dropdown to select the desired time unit, such as Minutes, Seconds, Hours, or Days, as required.

Failure Reset Time

This can be adjusted as required.

It refers to the time after which the Failure count will be reset to Zero.

Fig 3.9.8.p: Security Defenses, Setup failure reset time

You can choose from the dropdown the required duration unit that you want to specify out of Seconds, Minutes, Hours, and Days.

Quick Login Check Milliseconds

It can be modified as required.

Fig 3.9.8.q: Security Defenses, Setup quick login check milliseconds

This duration dictates the interval between consecutive failures; if shorter than the specified duration, it will lock the user.

Minimum Quick Login Wait

This can be modified as required.

It represents the waiting period or the duration the user must wait after a rapid login failure.

Fig 3.9.8.q: Security Defenses, Setup minimum quick login wait time

You can choose from the dropdown the required duration unit that you want to specify out of Seconds, Minutes, Hours, and Days.

Save

After any changes are made, click on Save in order to get those changes incorporated.

Revert

If you prefer not to finalize your alterations, click on Revert.

This action will discard all changes made.

All attributes can be customized to suit specific requirements.