Loading ...

Site Security Best Practices | Axero Documentation

Home » axero documentation » Wiki » Documentation » Site Security Best Practices
Axero Documentation  Wiki
Public Space
Activity Stream Content
Version 11

Site Security Best Practices

 /5
0 (0votes)

Applies to: Cloud & Self-Hosted

Audience: Site Administrators

Introduction

This reference covers the most important security settings in the Axero platform. Review each recommendation to ensure your platform follows best practices for protecting your organization's data and controlling user access.

Overview

Login

The following settings relate to login page configuration and authentication. For full documentation, see Login and Edit Registration Page.

Edit Login Page

The login page is the entry point to your Axero platform. Configure it with only the authentication methods your organization actively uses (e.g., SSO, email/username and password, or social logins). For additional security layers, see the Two-Factor Authentication and Password Policy sections below.

Tip: Set the permission for inactive login widgets to Site Administrator only so they do not appear on the login page.

SSO Auto-Login

If your Axero platform uses Single Sign-On (SSO) and all users authenticate through your SSO provider, enable auto-login so users are redirected directly to the SSO provider's sign-in page instead of seeing the Axero login page.

To enable this, navigate to Control Panel > System > System Properties and search for EnableAutoLoginViaSaml. Set the value to true.

Important: Only enable SSO auto-login if all users sign in through your SSO provider. If any users sign in with a username and password, enabling this setting will prevent them from reaching the Axero login page.

Login Page Without SSO

When your Axero platform does not use SSO, users sign in with their username or email and password. Ensure the following fields are not removed from the login page:

  • Email or username
  • Password
  • Sign-in button

If your platform has Two-Factor Authentication enabled, also keep the "Enter Your Passcode" section on the login page.

Edit Registration Page

You can hide the registration form to prevent users from creating their own accounts.

Tip: Hide the registration form if you provision users through an integration such as SCIM or Active Directory sync.

Maximum Invalid Login Attempts

Limit the number of failed sign-in attempts before an account is locked. Navigate to Control Panel > System > System Properties and search for MaxInvalidLoginAttempts.

Setting Best Practice
MaxInvalidLoginAttempts Set to 5

Password Policy

Password requirements are configured through the user profile field settings. Navigate to Control Panel > Users > User Profile Fields and select the Password field to configure validation rules.

Setting Description Best Practice
Minimum length The minimum number of characters required for a password. 8 or more characters
Maximum length The maximum number of characters allowed for a password. 64 or more characters to support passphrases
Regex validation A regular expression that passwords must match. When set, this overrides the minimum and maximum length settings. Use this to enforce complexity requirements such as requiring uppercase letters, digits, or special characters. Define a regex that requires at least one uppercase letter, one digit, and one special character

Note: Password policy settings do not apply to users who sign in exclusively through SSO. SSO users authenticate against your identity provider, which enforces its own password policy.

Two-Factor Authentication

Two-Factor Authentication (2FA) adds a second verification step after the user enters their password. When enabled, users must enter a time-based passcode from an authenticator app (such as Microsoft Authenticator or Google Authenticator) to complete sign-in.

To enable 2FA, navigate to Control Panel > System > System Properties and search for TwoFactorAuthenticationEnabled. Set the value to true.

Setting Best Practice
TwoFactorAuthenticationEnabled ✅ Enabled for all organizations that use username/password authentication

Important: When enabling 2FA, ensure the "Enter Your Passcode" section is present on your login page. Without it, users will not be able to complete sign-in. 2FA does not apply to users who sign in through SSO, as SSO providers manage their own multi-factor authentication independently. For full setup details, see Edit Edit Profile Page.

Session Management

Session settings control how long users remain signed in before they must re-authenticate. Shorter sessions reduce the risk of unauthorized access from unattended devices. Navigate to Control Panel > System > General Settings to configure session behavior.

Setting Description Best Practice
Session timeout The number of minutes a user can remain inactive before they are automatically signed out. 30 to 60 minutes depending on your organization's security requirements
Remember me When enabled, users can choose to stay signed in across browser sessions. This extends the session beyond the timeout period. Disabled for organizations with strict security requirements

Site Settings

The following settings are located under Control Panel > System > General Settings. For full documentation, see Site Settings.

Setting Description Best Practice
Allow self-registration When enabled, anyone can access the Registration page to create an account. When disabled, only administrators or moderators can create accounts on behalf of users. Disabled
Auto-approve members When enabled, users are automatically approved after confirming their email. When disabled, a site administrator must manually approve every user. Disabled
Allow access only to registered members When enabled, users must register and sign in before accessing any content. When disabled, guests can view the platform in read-only mode. Enabled ✅
Allowed email domains Restricts user registration to specific email domains. Enter a comma-separated list of domains (e.g., yourdomain.com, yourotherdomain.com), or enter * to allow any domain. Restrict to your company email domain only

General Settings page showing self-registration, auto-approve, access restriction, and allowed email domain settings

User Section Permissions

The following settings are located under Control Panel > Users > User Section Permissions. For full documentation, see User Section Permissions.

Review all permissions for roles other than the Site Administrator. Apply the principle of least privilege: grant each role only the permissions required for its function.

Permission Risk Level Best Practice
Delete Users High Site Administrator only
Manage Roles High Site Administrator only
Import Users High Site Administrator only
Edit User Profile Medium Enable only for roles that manage user profiles (e.g., HR moderators)
View User Profile Low Safe to enable for all roles

Tip: Periodically audit user section permissions after organizational changes (e.g., new roles, team restructuring) to ensure no role has accumulated permissions beyond what it needs.

REST API Settings

The following settings are located under Control Panel > System > General Settings > REST API. For full documentation, see REST API Settings.

Setting Description Best Practice
Enable REST API Enables the REST API for programmatic access to platform data and functions. Disabled if your organization does not use the REST API
Select users who can access the REST API The REST API key is tied to the user's roles and permissions. Users are granted or denied access to content through the API based on their platform permissions. It is standard practice to create a dedicated service account with the Site Administrator role for administrative API tasks. Only the Site Administrator role should be enabled ✅

Email Settings

The following settings are located under Control Panel > System > General Settings > Email Settings. For full documentation, see Email Configuration Overview.

Setting Description Best Practice
Enable email sending Controls whether the platform sends notification emails based on user activity (comments, mentions, content updates). Disabling this stops all outbound notification emails. Organization preference

Tip: If your organization uses a custom email domain for outbound notifications, configure SPF and DKIM records for that domain to prevent notification emails from being flagged as spam. Consult your email provider or IT team for setup instructions.

Additional Resources

Support and Feedback

We are always working to improve our documentation. If you encounter an issue not covered here, or if a step could be clearer, let us know through a Support Case so we can help you and improve this guide for everyone.

Wiki Index

Pages