The following sections describe how to restrict non-essential access to your deployment, and reduce the amount of non-essential information that it provides.
The more features you have turned on, the more features you need to secure, patch, and audit. If something is not being used, uninstall it, disable it, or protect access to it.
Make sure that only authorized people can access your servers and applications through the appropriate network, using the appropriate ports, and presenting strong-enough credentials.
Make sure that users connect to systems through the latest versions of TLS, and audit system access periodically.
Restrict access to your monitoring data by protecting the Prometheus Scrape Endpoint and Common REST Monitoring Endpoint. For information, see Protecting the Monitoring Endpoints.
Prevent IG from scanning for changes to routes. For information,
scanInterval in Router.
Disable administration endpoints and Studio by setting the IG run
production. For information, see
Switching From Development Mode to Production Mode.
Security vulnerabilities are the reason why you should keep your operating systems, web and application servers, and any other application in your environment up-to-date. Knowledge of vulnerabilities spreads fast across malicious users, who would not hesitate in trying to exploit them.
Review and follow the ForgeRock security advisories. Follow similar lists from all of your vendors.
Store a minimum amount of sensitive data in cookies, and only when necessary.
Change the default name of cookies to prevent them from being easily associated with an application.