Access

The following sections describe how to restrict non-essential access to your deployment, and reduce the amount of non-essential information that it provides.

Remove Non-Essential Features

The more features you have turned on, the more features you need to secure, patch, and audit. If something is not being used, uninstall it, disable it, or protect access to it.

Remove Non-Essential Access

Make sure that only authorized people can access your servers and applications through the appropriate network, using the appropriate ports, and presenting strong-enough credentials.

Make sure that users connect to systems through the latest versions of TLS, and audit system access periodically.

Restrict access to your monitoring data by protecting the Prometheus Scrape Endpoint and Common REST Monitoring Endpoint. For information, see Protecting the Monitoring Endpoints.

Prevent IG from scanning for changes to routes. For information, see scanInterval in Router.

Disable administration endpoints and Studio by setting the IG run mode to production. For information, see Switching From Development Mode to Production Mode.

Update Patches

Security vulnerabilities are the reason why you should keep your operating systems, web and application servers, and any other application in your environment up to date. Knowledge of vulnerabilities spreads fast across malicious users, who would not hesitate in trying to exploit them.

Review and follow the ForgeRock security advisories. Follow similar lists from all of your vendors.

Manage Cookies

Where possible, configure cookie properties to restrict how and where they can be used. For information, see cookie in JwtSession, and authCookie in CrossDomainSingleSignOnFilter.

Store a minimum amount of sensitive data in cookies, and only when necessary.

Change the default name of cookies to prevent them from being easily associated with an application.