The following series of options in the Security section allow you to either enhance or reduce the security of your Issuetrak site. It is important to note that some of these enhancements may reduce functionality of the browser, causing potential inconveniences to your users. Additionally, two of these options will result in reduced security and should only be enabled with care.
Want to find out about security as it relates to the deployment of Issuetrak? Read the Security in Issuetrak article instead.
The following options increase site security:
- Tell browsers not to cache page data disables the caching functions on data entry pages within Issuetrak. This measure is designed to prevent hackers from potentially gaining access to sensitive information through a specific workstation or other common access point. However, this results in potential inconveniences for your user base, primarily in that the Back button of the browser may not return the user to the previously viewed page and could also empty the data entry fields on the page they are on.
- Tell browsers not to embed this site into other sites (to prevent clickjacking) adds additional security layers to your site that help prevent hackers from initiating Clickjacking attacks. This option denies your users the ability to access embedded iFrames within your Issuetrak site that reference a different host other than your Issuetrak website host. For more details on this type of attack, please see the Open Web Application Security Project (OWASP)'s Clickjacking page.
- Protect this site from Cross-Site Request Forgery (CSRF) attacks adds additional security layers to your site that help prevent hackers from potentially gaining access to sensitive information and/or executing malicious functions through Cross-Site Request Forgery attacks. This option comes with a number of potential inconveniences to your users, including additional steps needing to be taken to perform certain behaviors.
- Users will not be able to access any shortcut or direct link to a specific page within your Issuetrak site (such as an Issue record, Project record, KB Article, Report, etc.) that is not specifically embedded with a system-generated Synchronizer Token Pattern.
- Users will not be able to access any shortcut or direct link to a specific page within your Issuetrak website that has been copied and pasted directly from a browser's address bar into any other location inside or outside of Issuetrak (such as into another Issue record, Project record, KB Article, personal email message, desktop shortcut, etc.).
- Users will be required to generate a Safe URL using the (Create Safe URL) function found in the top bar of your Issuetrak interface each time they need to paste a link to a specific page within Issuetrak into any other location inside or outside of Issuetrak.
- Significantly lengthens the general URL displayed in a browser's address bar for every individual page within your Issuetrak site.
- Significantly increases the number of characters involved in a Safe link to specific pages within your Issuetrak site which may potentially exceed the amount of available space or maximum character limit allowed in certain locations inside or outside of Issuetrak.
For more details on this type of attack, please see the OWASP's Cross Site Request Forgery (CSRF) page.
The following options reduce site security:
- Allow more than one person to be logged in with a single end-user account at the same time will allow concurrent logins for end-user accounts only; agent level accounts will still only be allowed to log into Issuetrak from a single location at a time.