Skip to Content

Comprehensive documentation to help you get started and make the most of this feature.

Launchpanel - Laravel Admin Panel & Dynamic Website Starter Kit Updated 3 days ago

Security Settings

11 min read
Updated 3 days ago

Security Settings

Overview

The Security Settings module provides centralized configuration for all security-related policies and features in your admin panel. This is where you define password requirements, configure two-factor authentication policies, set up IP whitelisting, manage file upload security, configure account lockout rules, and enable security monitoring.

These settings apply system-wide and help protect your application from unauthorized access, brute force attacks, malicious file uploads, and other security threats.

Accessing Security Settings

Navigation path: Dashboard > Security > Settings

Required permission: security.settings.manage

Key Features

  • Password Policy Configuration: Define password strength requirements and expiration rules
  • Two-Factor Authentication Settings: Configure 2FA availability and enforcement
  • IP Whitelisting: Enable and configure IP-based access restrictions
  • File Upload Security: Set up malware scanning and file validation
  • Security Monitoring: Configure event logging and alert notifications
  • Account Lockout: Prevent brute force attacks with automatic account lockout

Main Interface

The Security Settings page is organized into several sections, each focusing on a specific aspect of security configuration. All settings are presented in a single form with clearly labeled sections.

Page Layout

  • Header: Shows the page title and a "Reset to Defaults" button
  • Settings Sections: Multiple collapsible sections for different security features
  • Save Button: Located at the bottom to save all changes at once

Security Configuration Sections

Two-Factor Authentication

Configure how two-factor authentication works in your system.

Settings:

  • Enable 2FA (checkbox)

    • Type: Toggle
    • Description: Allow users to enable two-factor authentication on their accounts
    • Default: Enabled
    • Note: Users must still manually enable 2FA on their accounts
  • Mandatory for Admins (checkbox)

    • Type: Toggle
    • Description: Require all admin users to have 2FA enabled
    • Default: Disabled
    • Note: When enabled, admins without 2FA will be prompted to set it up
  • Recovery Codes Count (number)

    • Type: Number input
    • Range: 4-20 codes
    • Default: 8
    • Description: Number of recovery codes generated for each user
    • Recommendation: 8-10 codes provides good balance

IP Whitelisting

Restrict access to the admin panel based on IP addresses.

Settings:

  • Enable IP Whitelist (checkbox)

    • Type: Toggle
    • Description: Only allow access from whitelisted IP addresses
    • Default: Disabled
    • Warning: Ensure your IP is whitelisted before enabling
  • Admin Only (checkbox)

    • Type: Toggle
    • Description: Apply IP whitelist only to admin routes (not public pages)
    • Default: Enabled
    • Recommendation: Keep enabled unless you need to restrict all access
  • Default Whitelisted IPs (text)

    • Type: Comma-separated list
    • Format: 127.0.0.1,::1,192.168.1.100
    • Description: IP addresses that are always whitelisted
    • Default: 127.0.0.1,::1 (localhost)
    • Example: 127.0.0.1,::1,203.0.113.0/24

File Upload Security

Configure security measures for file uploads.

Settings:

  • Enable Malware Scanning (checkbox)

    • Type: Toggle
    • Description: Scan uploaded files for malware patterns
    • Default: Enabled
    • Note: Uses pattern matching, not full antivirus
  • MIME Type Validation (checkbox)

    • Type: Toggle
    • Description: Verify file MIME types match their extensions
    • Default: Enabled
    • Recommendation: Always keep enabled
  • Content Validation (checkbox)

    • Type: Toggle
    • Description: Validate actual file content (images only)
    • Default: Enabled
    • Note: Prevents fake image files
  • Maximum File Size (number)

    • Type: Number input (KB)
    • Range: 1024-102400 KB (1-100 MB)
    • Default: 10240 KB (10 MB)
    • Description: Maximum allowed file size for uploads

Security Monitoring

Configure security event logging and alerting.

Settings:

  • Enable Monitoring (checkbox)

    • Type: Toggle
    • Description: Log and monitor security events
    • Default: Enabled
    • Recommendation: Always keep enabled
  • Alert Channels (text)

    • Type: Comma-separated list
    • Options: mail, database, slack
    • Default: mail,database
    • Description: Where to send security alerts
  • Alert Recipients (text)

    • Type: Comma-separated email addresses
    • Format: admin@example.com,security@example.com
    • Description: Email addresses to receive security alerts
    • Required: At least one email if mail channel is enabled
  • Failed Login Threshold (number)

    • Type: Number input
    • Range: 3-20 attempts
    • Default: 5
    • Description: Number of failed logins before triggering an alert
  • Window (number)

    • Type: Number input (minutes)
    • Range: 5-60 minutes
    • Default: 15
    • Description: Time window for counting failed login attempts

Password Policy

Define password strength and management requirements.

Settings:

  • Minimum Length (number)

    • Type: Number input
    • Range: 8-32 characters
    • Default: 12
    • Recommendation: Minimum 12 characters for strong security
  • Require Uppercase (checkbox)

    • Type: Toggle
    • Description: Password must contain at least one uppercase letter
    • Default: Enabled
  • Require Lowercase (checkbox)

    • Type: Toggle
    • Description: Password must contain at least one lowercase letter
    • Default: Enabled
  • Require Numbers (checkbox)

    • Type: Toggle
    • Description: Password must contain at least one number
    • Default: Enabled
  • Require Symbols (checkbox)

    • Type: Toggle
    • Description: Password must contain at least one special character
    • Default: Enabled
  • Prevent Reuse (number)

    • Type: Number input
    • Range: 0-10 (0 = disabled)
    • Default: 5
    • Description: Prevent reusing last N passwords
  • Expiry (number)

    • Type: Number input (days)
    • Range: 0-365 (0 = disabled)
    • Default: 90
    • Description: Force password change after N days
    • Recommendation: 90-180 days for admin accounts
  • Check Against Compromised Passwords Database (checkbox)

    • Type: Toggle
    • Description: Verify passwords haven't been exposed in data breaches
    • Default: Enabled
    • Recommendation: Always keep enabled

Account Lockout

Prevent brute force attacks by locking accounts after failed attempts.

Settings:

  • Enable Lockout (checkbox)

    • Type: Toggle
    • Description: Lock accounts after failed login attempts
    • Default: Enabled
  • Max Attempts (number)

    • Type: Number input
    • Range: 3-20 attempts
    • Default: 5
    • Description: Number of failed attempts before lockout
  • Duration (number)

    • Type: Number input (minutes)
    • Range: 5-1440 minutes
    • Default: 30
    • Description: How long the account remains locked
  • Reset After (number)

    • Type: Number input (minutes)
    • Range: 10-1440 minutes
    • Default: 60
    • Description: Time after which failed attempt counter resets

Common Tasks

Task 1: Configuring Strong Password Requirements

  1. Navigate to Dashboard > Security > Settings
  2. Scroll to the Password Policy section
  3. Set Minimum Length to at least 12 characters
  4. Enable all character type requirements:
    • Check Require Uppercase
    • Check Require Lowercase
    • Check Require Numbers
    • Check Require Symbols
  5. Set Prevent Reuse to 5 or more
  6. Set Expiry to 90 days (or 0 to disable)
  7. Enable Check Against Compromised Passwords Database
  8. Click Save Security Settings

Result: All new passwords must meet these requirements, and users will be prompted to change passwords that don't comply.

Task 2: Enabling Two-Factor Authentication for Admins

  1. Navigate to Dashboard > Security > Settings
  2. Locate the Two-Factor Authentication section
  3. Ensure Enable 2FA is checked
  4. Check Mandatory for Admins
  5. Set Recovery Codes Count to 8-10
  6. Click Save Security Settings
  7. Notify admin users they must set up 2FA

Result: Admin users will be required to enable 2FA on their next login.

Task 3: Setting Up IP Whitelisting

  1. Navigate to Dashboard > Security > Settings
  2. Scroll to the IP Whitelisting section
  3. In Default Whitelisted IPs, add your IP addresses (comma-separated)
    • Example: 127.0.0.1,::1,203.0.113.50,192.168.1.0/24
  4. Ensure Admin Only is checked
  5. Important: Verify your current IP is in the list
  6. Check Enable IP Whitelist
  7. Click Save Security Settings

Result: Only connections from whitelisted IPs can access the admin panel.

Warning: If you lock yourself out, you'll need server access to disable IP whitelisting in the database.

Task 4: Configuring Account Lockout Protection

  1. Navigate to Dashboard > Security > Settings
  2. Find the Account Lockout section
  3. Ensure Enable Lockout is checked
  4. Set Max Attempts to 5
  5. Set Duration to 30 minutes
  6. Set Reset After to 60 minutes
  7. Click Save Security Settings

Result: Accounts will be locked for 30 minutes after 5 failed login attempts.

Task 5: Enabling Security Monitoring and Alerts

  1. Navigate to Dashboard > Security > Settings
  2. Scroll to the Security Monitoring section
  3. Ensure Enable Monitoring is checked
  4. Set Alert Channels to mail,database
  5. Enter admin email addresses in Alert Recipients
    • Example: admin@example.com,security@example.com
  6. Set Failed Login Threshold to 5
  7. Set Window to 15 minutes
  8. Click Save Security Settings

Result: You'll receive email alerts when security events occur.

Task 6: Resetting All Settings to Defaults

  1. Navigate to Dashboard > Security > Settings
  2. Click the Reset to Defaults button in the top right
  3. Confirm the action in the popup dialog
  4. Review the default settings
  5. Make any necessary adjustments
  6. Click Save Security Settings

Result: All security settings are restored to their default values.

Settings and Options

Recommended Security Configuration

For most installations, we recommend:

Password Policy:

  • Minimum Length: 12 characters
  • All character types required
  • Prevent Reuse: 5 passwords
  • Expiry: 90 days
  • Check compromised passwords: Enabled

Two-Factor Authentication:

  • Enable 2FA: Yes
  • Mandatory for Admins: Yes
  • Recovery Codes: 8

Account Lockout:

  • Enable Lockout: Yes
  • Max Attempts: 5
  • Duration: 30 minutes
  • Reset After: 60 minutes

Security Monitoring:

  • Enable Monitoring: Yes
  • Alert Channels: mail,database
  • Failed Login Threshold: 5
  • Window: 15 minutes

File Upload Security:

  • All options enabled
  • Max File Size: 10 MB (adjust based on needs)

IP Whitelisting:

  • Only enable if you have static IPs
  • Admin Only: Yes

Permissions

The following permissions control access to security settings:

  • security.settings.view: Can view security settings
  • security.settings.manage: Can modify security settings
  • security.settings.reset: Can reset settings to defaults

Note: Only users with security.settings.manage permission can modify these critical settings.

Tips and Best Practices

Password Security

  • Use a minimum of 12 characters for strong security
  • Enable all character type requirements
  • Set password expiry to 90-180 days for admin accounts
  • Always check against compromised password databases
  • Prevent reuse of at least the last 5 passwords

Two-Factor Authentication

  • Make 2FA mandatory for all admin accounts
  • Provide 8-10 recovery codes per user
  • Educate users on storing recovery codes securely
  • Consider making 2FA mandatory for all users, not just admins

IP Whitelisting

  • Only enable if you have static IP addresses
  • Always include localhost (127.0.0.1, ::1) in the whitelist
  • Use CIDR notation for IP ranges (e.g., 192.168.1.0/24)
  • Keep the "Admin Only" option enabled
  • Test thoroughly before enabling in production
  • Have a backup plan to disable if you get locked out

Account Lockout

  • Set reasonable thresholds (5 attempts is standard)
  • Use lockout durations of 15-30 minutes
  • Set reset window to 2-4 times the lockout duration
  • Monitor lockout events for potential attacks

Security Monitoring

  • Always keep monitoring enabled
  • Use multiple alert channels for redundancy
  • Set up a dedicated security email address
  • Review security events regularly
  • Adjust thresholds based on your traffic patterns

File Upload Security

  • Enable all validation options
  • Set appropriate file size limits based on your needs
  • Regularly review uploaded files
  • Consider additional server-level scanning for production

Troubleshooting

Problem: Locked Out Due to IP Whitelist

Solution:

  1. Access your server via SSH or control panel
  2. Connect to your database
  3. Find the settings table
  4. Locate the security settings record
  5. Disable IP whitelist or add your IP to the whitelist
  6. Alternatively, temporarily disable the IP whitelist middleware in your code

Prevention: Always verify your IP is whitelisted before enabling the feature.

Problem: Users Can't Create Passwords That Meet Requirements

Solution:

  1. Review your password policy settings
  2. Ensure requirements aren't too restrictive
  3. Provide clear password requirements on the registration/password change form
  4. Consider reducing minimum length or character requirements
  5. Educate users on creating strong passwords

Problem: Too Many Account Lockouts

Solution:

  1. Check if lockout threshold is too low
  2. Increase Max Attempts to 7-10
  3. Reduce Duration to 15 minutes
  4. Investigate if there's a brute force attack occurring
  5. Review security events for patterns

Problem: Not Receiving Security Alerts

Solution:

  1. Verify Enable Monitoring is checked
  2. Check that email addresses in Alert Recipients are correct
  3. Verify your mail configuration is working (test in Mail Config settings)
  4. Check spam/junk folders
  5. Ensure mail is included in Alert Channels
  6. Review application logs for email sending errors

Problem: 2FA Mandatory Setting Not Working

Solution:

  1. Verify Enable 2FA is checked first
  2. Ensure Mandatory for Admins is checked
  3. Clear application cache
  4. Have affected users log out and log back in
  5. Check that users have the admin role assigned

Problem: File Uploads Failing After Enabling Security

Solution:

  1. Check if file size exceeds Maximum File Size setting
  2. Verify file type is allowed by your application
  3. Temporarily disable Malware Scanning to test
  4. Check server logs for specific validation errors
  5. Ensure Content Validation isn't too strict for your file types

Related Modules

Quick Start

Get Started in Minutes

Follow these simple steps to get Launchpanel - Laravel Admin Panel & Dynamic Website Starter Kit up and running quickly.

1
Install
Download and install the package
2
Configure
Set up your configuration
3
Deploy
Launch your application

Need More Help?

Our comprehensive documentation covers everything from basic setup to advanced configurations. Check out these additional resources:

Was this helpful?

Let us know if you found this documentation useful.