Security Settings
Security Settings
Overview
The Security Settings module provides centralized configuration for all security-related policies and features in your admin panel. This is where you define password requirements, configure two-factor authentication policies, set up IP whitelisting, manage file upload security, configure account lockout rules, and enable security monitoring.
These settings apply system-wide and help protect your application from unauthorized access, brute force attacks, malicious file uploads, and other security threats.
Accessing Security Settings
Navigation path: Dashboard > Security > Settings
Required permission: security.settings.manage
Key Features
- Password Policy Configuration: Define password strength requirements and expiration rules
- Two-Factor Authentication Settings: Configure 2FA availability and enforcement
- IP Whitelisting: Enable and configure IP-based access restrictions
- File Upload Security: Set up malware scanning and file validation
- Security Monitoring: Configure event logging and alert notifications
- Account Lockout: Prevent brute force attacks with automatic account lockout
Main Interface
The Security Settings page is organized into several sections, each focusing on a specific aspect of security configuration. All settings are presented in a single form with clearly labeled sections.
Page Layout
- Header: Shows the page title and a "Reset to Defaults" button
- Settings Sections: Multiple collapsible sections for different security features
- Save Button: Located at the bottom to save all changes at once
Security Configuration Sections
Two-Factor Authentication
Configure how two-factor authentication works in your system.
Settings:
-
Enable 2FA (checkbox)
- Type: Toggle
- Description: Allow users to enable two-factor authentication on their accounts
- Default: Enabled
- Note: Users must still manually enable 2FA on their accounts
-
Mandatory for Admins (checkbox)
- Type: Toggle
- Description: Require all admin users to have 2FA enabled
- Default: Disabled
- Note: When enabled, admins without 2FA will be prompted to set it up
-
Recovery Codes Count (number)
- Type: Number input
- Range: 4-20 codes
- Default: 8
- Description: Number of recovery codes generated for each user
- Recommendation: 8-10 codes provides good balance
IP Whitelisting
Restrict access to the admin panel based on IP addresses.
Settings:
-
Enable IP Whitelist (checkbox)
- Type: Toggle
- Description: Only allow access from whitelisted IP addresses
- Default: Disabled
- Warning: Ensure your IP is whitelisted before enabling
-
Admin Only (checkbox)
- Type: Toggle
- Description: Apply IP whitelist only to admin routes (not public pages)
- Default: Enabled
- Recommendation: Keep enabled unless you need to restrict all access
-
Default Whitelisted IPs (text)
- Type: Comma-separated list
- Format:
127.0.0.1,::1,192.168.1.100 - Description: IP addresses that are always whitelisted
- Default:
127.0.0.1,::1(localhost) - Example:
127.0.0.1,::1,203.0.113.0/24
File Upload Security
Configure security measures for file uploads.
Settings:
-
Enable Malware Scanning (checkbox)
- Type: Toggle
- Description: Scan uploaded files for malware patterns
- Default: Enabled
- Note: Uses pattern matching, not full antivirus
-
MIME Type Validation (checkbox)
- Type: Toggle
- Description: Verify file MIME types match their extensions
- Default: Enabled
- Recommendation: Always keep enabled
-
Content Validation (checkbox)
- Type: Toggle
- Description: Validate actual file content (images only)
- Default: Enabled
- Note: Prevents fake image files
-
Maximum File Size (number)
- Type: Number input (KB)
- Range: 1024-102400 KB (1-100 MB)
- Default: 10240 KB (10 MB)
- Description: Maximum allowed file size for uploads
Security Monitoring
Configure security event logging and alerting.
Settings:
-
Enable Monitoring (checkbox)
- Type: Toggle
- Description: Log and monitor security events
- Default: Enabled
- Recommendation: Always keep enabled
-
Alert Channels (text)
- Type: Comma-separated list
- Options:
mail,database,slack - Default:
mail,database - Description: Where to send security alerts
-
Alert Recipients (text)
- Type: Comma-separated email addresses
- Format:
admin@example.com,security@example.com - Description: Email addresses to receive security alerts
- Required: At least one email if mail channel is enabled
-
Failed Login Threshold (number)
- Type: Number input
- Range: 3-20 attempts
- Default: 5
- Description: Number of failed logins before triggering an alert
-
Window (number)
- Type: Number input (minutes)
- Range: 5-60 minutes
- Default: 15
- Description: Time window for counting failed login attempts
Password Policy
Define password strength and management requirements.
Settings:
-
Minimum Length (number)
- Type: Number input
- Range: 8-32 characters
- Default: 12
- Recommendation: Minimum 12 characters for strong security
-
Require Uppercase (checkbox)
- Type: Toggle
- Description: Password must contain at least one uppercase letter
- Default: Enabled
-
Require Lowercase (checkbox)
- Type: Toggle
- Description: Password must contain at least one lowercase letter
- Default: Enabled
-
Require Numbers (checkbox)
- Type: Toggle
- Description: Password must contain at least one number
- Default: Enabled
-
Require Symbols (checkbox)
- Type: Toggle
- Description: Password must contain at least one special character
- Default: Enabled
-
Prevent Reuse (number)
- Type: Number input
- Range: 0-10 (0 = disabled)
- Default: 5
- Description: Prevent reusing last N passwords
-
Expiry (number)
- Type: Number input (days)
- Range: 0-365 (0 = disabled)
- Default: 90
- Description: Force password change after N days
- Recommendation: 90-180 days for admin accounts
-
Check Against Compromised Passwords Database (checkbox)
- Type: Toggle
- Description: Verify passwords haven't been exposed in data breaches
- Default: Enabled
- Recommendation: Always keep enabled
Account Lockout
Prevent brute force attacks by locking accounts after failed attempts.
Settings:
-
Enable Lockout (checkbox)
- Type: Toggle
- Description: Lock accounts after failed login attempts
- Default: Enabled
-
Max Attempts (number)
- Type: Number input
- Range: 3-20 attempts
- Default: 5
- Description: Number of failed attempts before lockout
-
Duration (number)
- Type: Number input (minutes)
- Range: 5-1440 minutes
- Default: 30
- Description: How long the account remains locked
-
Reset After (number)
- Type: Number input (minutes)
- Range: 10-1440 minutes
- Default: 60
- Description: Time after which failed attempt counter resets
Common Tasks
Task 1: Configuring Strong Password Requirements
- Navigate to Dashboard > Security > Settings
- Scroll to the Password Policy section
- Set Minimum Length to at least 12 characters
- Enable all character type requirements:
- Check Require Uppercase
- Check Require Lowercase
- Check Require Numbers
- Check Require Symbols
- Set Prevent Reuse to 5 or more
- Set Expiry to 90 days (or 0 to disable)
- Enable Check Against Compromised Passwords Database
- Click Save Security Settings
Result: All new passwords must meet these requirements, and users will be prompted to change passwords that don't comply.
Task 2: Enabling Two-Factor Authentication for Admins
- Navigate to Dashboard > Security > Settings
- Locate the Two-Factor Authentication section
- Ensure Enable 2FA is checked
- Check Mandatory for Admins
- Set Recovery Codes Count to 8-10
- Click Save Security Settings
- Notify admin users they must set up 2FA
Result: Admin users will be required to enable 2FA on their next login.
Task 3: Setting Up IP Whitelisting
- Navigate to Dashboard > Security > Settings
- Scroll to the IP Whitelisting section
- In Default Whitelisted IPs, add your IP addresses (comma-separated)
- Example:
127.0.0.1,::1,203.0.113.50,192.168.1.0/24
- Example:
- Ensure Admin Only is checked
- Important: Verify your current IP is in the list
- Check Enable IP Whitelist
- Click Save Security Settings
Result: Only connections from whitelisted IPs can access the admin panel.
Warning: If you lock yourself out, you'll need server access to disable IP whitelisting in the database.
Task 4: Configuring Account Lockout Protection
- Navigate to Dashboard > Security > Settings
- Find the Account Lockout section
- Ensure Enable Lockout is checked
- Set Max Attempts to 5
- Set Duration to 30 minutes
- Set Reset After to 60 minutes
- Click Save Security Settings
Result: Accounts will be locked for 30 minutes after 5 failed login attempts.
Task 5: Enabling Security Monitoring and Alerts
- Navigate to Dashboard > Security > Settings
- Scroll to the Security Monitoring section
- Ensure Enable Monitoring is checked
- Set Alert Channels to
mail,database - Enter admin email addresses in Alert Recipients
- Example:
admin@example.com,security@example.com
- Example:
- Set Failed Login Threshold to 5
- Set Window to 15 minutes
- Click Save Security Settings
Result: You'll receive email alerts when security events occur.
Task 6: Resetting All Settings to Defaults
- Navigate to Dashboard > Security > Settings
- Click the Reset to Defaults button in the top right
- Confirm the action in the popup dialog
- Review the default settings
- Make any necessary adjustments
- Click Save Security Settings
Result: All security settings are restored to their default values.
Settings and Options
Recommended Security Configuration
For most installations, we recommend:
Password Policy:
- Minimum Length: 12 characters
- All character types required
- Prevent Reuse: 5 passwords
- Expiry: 90 days
- Check compromised passwords: Enabled
Two-Factor Authentication:
- Enable 2FA: Yes
- Mandatory for Admins: Yes
- Recovery Codes: 8
Account Lockout:
- Enable Lockout: Yes
- Max Attempts: 5
- Duration: 30 minutes
- Reset After: 60 minutes
Security Monitoring:
- Enable Monitoring: Yes
- Alert Channels: mail,database
- Failed Login Threshold: 5
- Window: 15 minutes
File Upload Security:
- All options enabled
- Max File Size: 10 MB (adjust based on needs)
IP Whitelisting:
- Only enable if you have static IPs
- Admin Only: Yes
Permissions
The following permissions control access to security settings:
security.settings.view: Can view security settingssecurity.settings.manage: Can modify security settingssecurity.settings.reset: Can reset settings to defaults
Note: Only users with security.settings.manage permission can modify these critical settings.
Tips and Best Practices
Password Security
- Use a minimum of 12 characters for strong security
- Enable all character type requirements
- Set password expiry to 90-180 days for admin accounts
- Always check against compromised password databases
- Prevent reuse of at least the last 5 passwords
Two-Factor Authentication
- Make 2FA mandatory for all admin accounts
- Provide 8-10 recovery codes per user
- Educate users on storing recovery codes securely
- Consider making 2FA mandatory for all users, not just admins
IP Whitelisting
- Only enable if you have static IP addresses
- Always include localhost (127.0.0.1, ::1) in the whitelist
- Use CIDR notation for IP ranges (e.g., 192.168.1.0/24)
- Keep the "Admin Only" option enabled
- Test thoroughly before enabling in production
- Have a backup plan to disable if you get locked out
Account Lockout
- Set reasonable thresholds (5 attempts is standard)
- Use lockout durations of 15-30 minutes
- Set reset window to 2-4 times the lockout duration
- Monitor lockout events for potential attacks
Security Monitoring
- Always keep monitoring enabled
- Use multiple alert channels for redundancy
- Set up a dedicated security email address
- Review security events regularly
- Adjust thresholds based on your traffic patterns
File Upload Security
- Enable all validation options
- Set appropriate file size limits based on your needs
- Regularly review uploaded files
- Consider additional server-level scanning for production
Troubleshooting
Problem: Locked Out Due to IP Whitelist
Solution:
- Access your server via SSH or control panel
- Connect to your database
- Find the
settingstable - Locate the security settings record
- Disable IP whitelist or add your IP to the whitelist
- Alternatively, temporarily disable the IP whitelist middleware in your code
Prevention: Always verify your IP is whitelisted before enabling the feature.
Problem: Users Can't Create Passwords That Meet Requirements
Solution:
- Review your password policy settings
- Ensure requirements aren't too restrictive
- Provide clear password requirements on the registration/password change form
- Consider reducing minimum length or character requirements
- Educate users on creating strong passwords
Problem: Too Many Account Lockouts
Solution:
- Check if lockout threshold is too low
- Increase Max Attempts to 7-10
- Reduce Duration to 15 minutes
- Investigate if there's a brute force attack occurring
- Review security events for patterns
Problem: Not Receiving Security Alerts
Solution:
- Verify Enable Monitoring is checked
- Check that email addresses in Alert Recipients are correct
- Verify your mail configuration is working (test in Mail Config settings)
- Check spam/junk folders
- Ensure
mailis included in Alert Channels - Review application logs for email sending errors
Problem: 2FA Mandatory Setting Not Working
Solution:
- Verify Enable 2FA is checked first
- Ensure Mandatory for Admins is checked
- Clear application cache
- Have affected users log out and log back in
- Check that users have the admin role assigned
Problem: File Uploads Failing After Enabling Security
Solution:
- Check if file size exceeds Maximum File Size setting
- Verify file type is allowed by your application
- Temporarily disable Malware Scanning to test
- Check server logs for specific validation errors
- Ensure Content Validation isn't too strict for your file types
Related Modules
- Audit Logs: View security-related actions and changes
- Security Events: Monitor security threats and suspicious activity
- Two-Factor Authentication: Set up 2FA on your account
- IP Whitelist: Manage specific IP whitelist entries
- Users: Manage user accounts affected by security policies
Quick Start
Get Started in Minutes
Follow these simple steps to get Launchpanel - Laravel Admin Panel & Dynamic Website Starter Kit up and running quickly.
Quick Links
Need More Help?
Our comprehensive documentation covers everything from basic setup to advanced configurations. Check out these additional resources: