Enterprise Security Features

Comprehensive security documentation for the CAS authentication system

Security Rating: 10/10 Enterprise-Grade
All critical security layers implemented

Multi-layered Security Architecture

Bot Protection

  • • Google reCAPTCHA v3
  • • Invisible verification
  • • Score-based validation (0.5)
  • • No user interaction required

Rate Limiting

  • • 5 requests per minute per IP
  • • Immediate protection
  • • 429 status with retry-after
  • • Prevents brute force attacks

Account Lockout

  • • 5 failed attempts = 30min lock
  • • Progressive security
  • • Comprehensive audit logging
  • • Automatic timeout recovery

Password Security

  • • Enterprise complexity rules
  • • Weak password detection
  • • bcrypt/scrypt hashing
  • • Character repetition limits

Multi-Factor Auth

  • • TOTP (Time-based codes)
  • • QR code enrollment
  • • Backup codes available
  • • Optional per-user basis

Network Security

  • • IP whitelisting system
  • • HMAC-SHA256 signatures
  • • Timestamp validation
  • • Anti-replay protection

Password Complexity Requirements

Required Elements

  • Minimum 8 characters in length
  • At least 1 uppercase letter (A-Z)
  • At least 1 lowercase letter (a-z)
  • At least 1 number (0-9)
  • At least 1 special character (!@#$%^&*)

Security Restrictions

  • No common weak passwords
  • No more than 3 consecutive identical chars
  • No dictionary words or patterns
  • Real-time strength validation

Example Valid Passwords:

MySecure123!
Enterprise#2024

Example Invalid Passwords:

password123 ✗ (too common)
aaaa1111 ✗ (repetitive characters)

Account Lockout System

Lockout Process

1
Attempts 1-4
Warning messages with remaining attempts
2
Attempt 5
Account locked for 30 minutes
3
After Timeout
Account automatically unlocked

API Responses

Warning Response (401)
{
  "error": "Invalid credentials",
  "attempts_remaining": 3,
  "lockout_warning": "Account will lock after 2 more attempts"
}
Locked Response (423)
{
  "error": "Account locked",
  "lockout_until": "2025-08-07T11:00:00Z",
  "remaining_minutes": 25
}

HMAC Signature Security

How HMAC Signatures Work

  1. 1. Generate Unix timestamp
  2. 2. Create payload: METHOD + URI + TIMESTAMP + BODY
  3. 3. Sign with HMAC-SHA256 using webhook secret
  4. 4. Include as X-Signature header
  5. 5. Server validates signature and timestamp

Security Benefits

  • Prevents replay attacks with timestamps
  • Ensures message integrity via hashing
  • Authenticates sender with shared secret
  • Detects tampering in transit
  • Military-grade security standard

Example Signature Generation

$payload = 'POST/api/sso/token1640995200{"email":"[email protected]"}';
$signature = hash_hmac('sha256', $payload, $webhookSecret);
$header = 'X-Signature: sha256=' . $signature;

Comprehensive Audit & Monitoring

Security Events Logged

  • • Login attempts (success/failure)
  • • Account lockouts and unlocks
  • • 2FA verification attempts
  • • Password reset requests
  • • IP whitelist violations
  • • Rate limiting triggers
  • • HMAC signature failures

Audit Data Collected

  • • User ID and email
  • • IP address and geolocation
  • • User agent and device info
  • • Timestamp (UTC)
  • • Action details and context
  • • Success/failure status
  • • Security flags and warnings

Monitoring Features

  • • Real-time security dashboards
  • • Suspicious activity alerts
  • • Failed attempt tracking
  • • Geographic anomaly detection
  • • Export capabilities for SIEM
  • • Historical trend analysis
  • • Compliance reporting

Security Best Practices

For Administrators

  • • Regularly review audit logs
  • • Monitor failed login attempts
  • • Keep IP whitelist updated
  • • Rotate webhook secrets periodically
  • • Enable 2FA for admin accounts
  • • Set up security alerts

For Developers

  • • Implement proper error handling
  • • Use HTTPS for all communications
  • • Validate HMAC signatures
  • • Handle rate limiting gracefully
  • • Store secrets securely
  • • Test security features regularly