How secure is LearnLog?
To prevent listening in:
- 1 SSL encryption as standard, on both our servers and AWS S3 (the media host).
- 2 The app will not accept requests that are not made over HTTPS.
The site will display warnings on the login page if a user is not using IE8+ to ensure they are aware of security issues with their environment.
To prevent session replication:
- Only used for authentication
- Do not store the user's actual password, but an encrypted token
- Are limited to HTTPS connections, so even if a user sends a non-HTTPS request, the cookies will not be sent by their browser (provided they have any major browser e.g: Internet Explorer, Firefox, Chrome, Opera, Safari)
Authentication and Password Control
- To prevent brute-force password cracking:
- Failing a password entry 20 times will lock out a user account - even entering the correct password subsequently will return a failure.
- The account will unlock after 1 hour.
- To prevent easy passwords: Passwords must be a minimum of 6 characters long.
- To prevent other users gaining access from the same computer: Accounts will automatically sign-out after 1 hour of inactivity.
- When resetting a password, it must be changed within 2 hours of requesting the reset email.
Cross Site Scripting
- To prevent script injection attacks (in common browsers):
- Header: X-Frame-Options: SAMEORIGIN - this prevent typical click-jacking attacks.
- Header: X-XSS-Protection: 1; mode=block - this allows browsers to detect cross-site reflection attacks and will prevent the page from rendering.
- Header: Strict-Transport-Security max-age=31536000 - this tells browsers that they should remember that Learnlog is a HTTPS-only website - if a user tries to access the app over HTTP (which could be hijacked) then the browser will reformat their request to HTTPS. See: http://www.chromium.org/sts
- To prevent brute-force decryption of encrypted user passwords during a compromised security:
- A purposefully slow encryption algorithm is employed.
- All passwords are individually salted.
- All data resides within the EU.
- Our front-end web-servers all reside within the UK.
To prevent public access to database and other services
The front-end web servers are locked down using a firewall which prevents access on any ports other than those used for SSH, HTTP and HTTPS. Direct login as 'root' is prevented.
To prevent query-based injection attacks, database queries are sanitized before running.
All media file names are long randomly generated hexadecimal hashes to prevent directory browsing.
A monthly security review is in place to update software libraries and services. When urgent security fixes for libraries and services are released, these will be updated and deployed within 24 hours.