Open
Description
Add automated security checklist
Problem
If I am setting up FusionAuth, I may not be aware of some of the security ramifications of my configuration choices.
Solution
I'd like to have an automated checklist that I can view in the UI. Alternatively or in addition, I'd like to see an event in the event log or get a webhook fired if there are any new items added to this list.
This list would audit the FusionAuth environment in real time and if it saw anything being used that was not recommended security wise, would add it to the list (or fire an event).
Inclusions:
- anything ruled out by the security BCP or Oauth 2.1
- overly broad API keys
- an old version of FusionAuth
- anything covered by a CVE
- insecure tenant settings (too long for email verification, session length, etc)
- insecure password hashing settings
- small HMAC to sign JWTs(?)
- ... TBD
Alternatives/workarounds
Do this security audit manually.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.