Title
Auto-generated SSL, force HTTPS only, login timeout after some time unused, option to disable remember device, passkey, yubikey for first time login
Platform
Web-app
Is it related to an issue?
Very easy to login and keep the session on. Risk is high for someone to hijack the session. Also high risk of intercepting http from server to client or to reverse proxy. HTTPS should be mandatory.
The Solution
As this app is very good and can have access to critical info and resources, I think there could be more robust login security.
Examples:
- Auto-generated SSL and HTTPS only by default
- Login timeout after some unused time
- Option to disable remember device
- Passkey login
- First time login verification via Yubikey (or need yubikey for every login)
Additional Context
No response
Title
Auto-generated SSL, force HTTPS only, login timeout after some time unused, option to disable remember device, passkey, yubikey for first time login
Platform
Web-app
Is it related to an issue?
Very easy to login and keep the session on. Risk is high for someone to hijack the session. Also high risk of intercepting http from server to client or to reverse proxy. HTTPS should be mandatory.
The Solution
As this app is very good and can have access to critical info and resources, I think there could be more robust login security.
Examples:
Additional Context
No response