Extended Security offers hardening options for administrators - to further lock down their Pyramid instance. While the system remains secure without these options, there are often requirements or scenarios where admins would like to extend the standard security apparatus already in place.
- Delegate Kerberos: If using Windows Authentication as the method for authentication, you can optionally turn this on to continue delegating the Kerberos tickets through the system They are only required when using Kerberos delegated authentication - currently SAP BW Logon Tickets and MS SQL Server Relational Authentication with Windows Auth. It is NOT required for MS Analysis Services Authentication. Turning this off, if not needed, will positively impact performance.
- Network Security: this links through to the network settings page to enable encryption for internal communications between the Pyramid services. If you instance of Pyramid is installed behind a secure firewall and network, this option is mostly superfluous.Turning this off, if not needed, will positively impact performance.
- Mobile Devices: this links to the mobile device settings page to enable mobile session timeout.
These settings impact the way the HTML clients and cookies are handled and secured.
- Block Cross-Origin Resource Sharing (CORS): prevent the server from accepting requests from other domains. By default, this is switched off to allows for embedding, for which CORS is needed. If you don't use embedding and you want to increase security, you can turn on this option. After switching this option on or off, you must restart your web servers in order for the change to take effect. Note that if this option is enabled, embedding capabilities will be disabled.
- Block iframe hosting: configure if and how the client can be hosted in Iframes.
- Deny: This blocks all Iframe hosting. If Iframe hosting is blocked, Iframe embedding capabilities will be disabled.
- Allow: enables Iframe hosting
- Same Origin: enables Iframes hosted in the same website domain as Pyramid only
- Same Site:SameSite stops the browser from sending cookies along with cross-site requests. The goal is to lower the risk of cross-origin information leak, and to offer some protection against cross-site forgery attacks.
- Strict: stops the cookie being sent by the browser to the target site in all cross-site browsing contexts, including when following a regular link.
- Lax: the cookie is sent with GET requests or top-level navigation with a safe HTTP method.
- Enforce SSL secure cookies: choose this option to ensure all cookies are flagged for operation with SSL encrypted websites only (HTTPS). When this option is selected, the application will be blocked from operating with plain HTTP.
- Cookie Timeout: enable to force the security cookies to expire. When the cookie expires, the full client application will display a message to all users and redirect them to the login page, where they will need to login again. Native apps (mobile and tablet) will also display a message and prompt users to login again.
- Embed Cookie Timeout: enable to force the embed token to expire - only relevant if using embedded content.
- In this scenario, the pyramid.authFailure API; you can implement the behavior of this function. For example, you may want to redirect users to the Pyramid login page, or show them a message.
- Use Client-side Hashing: this mechanism adds a hash check to all critical client side functions to ensure that only authorized users are performing authorized activities on relevant content.