Differences

This shows you the differences between two versions of the page.

--- administration:security [2020/09/01 06:29] – [Proxies and IP Authentication] emaijala
+++ administration:security [2022/10/18 17:04] – [Securing User Credentials] demiankatz
@@ Line 78: / Line 78: @@
 VuFind stores some user information in its database.  Starting with VuFind 2.0RC1, you have the option to perform extra hashing/encryption to protect these credentials.  The settings are off by default in [[configuration:files:config.ini]], but they can be enabled through VuFind's auto-configuration pages.  Enabling security is highly recommended.
+When using some [[configuration:authentication]] options, you have the ability to pre-populate user ILS credentials in the database. In some scenarios, it is possible to configure ILS drivers to look up users based only on usernames or other "public knowledge" fields. In these cases, you should disable direct user login using the allowUserLogin setting in the [Catalog] section of [[configuration:files:config.ini]] to eliminate the possibility of users attempting to impersonate one another. This setting was introduced in VuFind 9.0.
 ===== Using a Content Security Policy =====
@@ Line 83: / Line 85: @@
 Starting with VuFind 7.0, you can configure a [[administration:security:content_security_policy|content security policy]] to protect against cross-site scripting and other vulnerabilities. See the [[administration:security:content_security_policy|content security policy]] page for more details.
 ---- struct data ----
+properties.Page Owner :
 ----