Skip to main content
  • Updated

Managing Security Options

  1. Jump to

  2. Site Password
  3. API Keys
  4. Configure Frame Options
  5. Volume Security Requests

 

Your site's security is high on our priority list. This article reviews the options you have on the Security page of your site.

Site Password

Your learning site will be password protected until your site is launched or goes live. Users who attempt to visit your site's URL will land on a page indicating that the site is closed. To bypass this page, you must enter the site password, or sign in with valid credentials. For testing purposes, you can enter the site password in order to view and test the different user flows without being logged in.

Note

The site password is not related to your personal login credentials.

  1. From your homepage, select Settings and then Security.
  2. Within the Passwords & Keys section, you will find your assigned site password. This password is randomly generated.
    SitePassword_ViewPassword_AdminView.png
  3. Go to your site URL and enter the password. Click Enter.
    SitePassword_LoginScreen_EndUserView.png

    Tip

    We highly recommend using a private/incognito browser in order to test your site as a logged out user.

  4. From here, you are ready to start testing!

Tip

Removing the password protection from your site is the final step in setting up your custom domain (launching your site). You should not remove the password protection on your site until all configuration steps and QA are completed.

Reactivating Your Site Password

If you do happen to accidentally remove password protection before you're ready, please reach out to your Tech Success & Support to have this reapplied to your site.

API Keys

Come here to view and copy your site's API key. For security purposes, your key is masked and you have the option to rotate your key as needed. You can generate up to two masked keys at a time.

  1. From your homepage, select Settings and then Security.
  2. Find the Passwords & Keys section.
  3. Click Generate API Key.
    SecurityOptions_GenerateAPIKey_Cropped_AdminView.png
  4. Once an API Key has been generated, click the eye icon to view it and copy if needed.
    SecurityOptions_APIEyeIcon_AdminView.png
  5. If you would like to generate a 2nd API Key, click Generate API Key again. 
  6. Once you've generated two API Keys, you have the option to remove either API Key from your site by clicking the trash icon.

    Warning

    Removing an API Key cannot be undone.

SecurityOptions_APIKeys_AdminView_GIF.gif

Configuring Frame Options

Your instance can be embedded onto another website, domain, or even app, via the use of these HTML tags: <frame>, <iframe>, or <object>. When you do this, we encourage you to set your Frame Options as described below.

  1. From the homepage, select Settings.
  2. From the left menu, select Security and then find the section for Security Options.
  3. Choose one of two options from the drop-down::
    • Allow (not recommended)
    • Allow from Same Origin (recommended)
  4. Click Save.

Note

We recommend the Allow from Same Origin setting for your site’s Frame Options in order to prevent clickjacking attacks.

Tip

For more information on Frame Options, click here.

SecurityOptions_FrameOptions_AdminView.png

Volume Security Requests

Through various security measures, Thought Industries aims to prevent malicious actors from breaking into accounts. There are a few aspects that are good for you to know:

  1. Account Lockout Functionality
  2. Login Rate Limiting Functionality
  3. Volume Security Requests Setting
01

Account Lockout Functionality

This behavior is always active on every site.

Objective: Prevent a malicious actor from breaking into a single account by guessing the password to that account.

Behavior: Locks out an individual user after 5 failed login attempts within 30 minutes to their account. It does not take IP address into account. After a user is locked out, they’ll see the existing login-too-many-attempts translation, which defaults to “You have made too many login attempts. Please try again in 30 minutes.”.

02

Login Rate Limiting Functionality

This behavior is always active on every site.

Objective: Prevent a malicious actor from breaking into multiple accounts, e.g., by guessing the password ‘testtest’ across a variety of email addresses. This is typically an automated effort that tries thousands of email/password combos in a short time.

Behavior: After a high volume of login attempts (failed or otherwise) in a certain time period by a single IP address, we will present a managed challenge, which allows users to prove they are human by clicking a button, and assuming the users are human, it allows the users to continue.

03

Volume Security Requests Setting

This behavior is always active on every site, unless the toggle for Disable Security Volume Requests? is enabled. This might be useful if you are hosting an in person event that requires the users to redeem registration or redemption codes.

Objective: When this toggle is disabled (default state), the objective is to prevent a malicious actor from sending a large volume of code redemption requests.

Behavior: When this toggle is enabled, block all users from a particular IP address if we receive a large volume of code redemption requests (not login requests) from the IP in a short period of time.

To enable the toggle and ignore volume requests based on IP:

  1. From the homepage, select Settings.
  2. From the left menu, select Security and then find the section for Security Options.
  3. Options:
    • Disabled (default): Block users after high number of attempts from the same IP within 5 minutes. Users can log in again after the allotted number of minutes have passed (i.e., 5).
    • Enabled (ignore volume requests): Don’t block users based on IP.
  4. Enable the toggle Disable Security Volume Requests?.
  5. Click Save.

SecurityOptions_VolumeRequests_AdminView.png

Related articles