Security Settings
The Security section of the Console provides controls for protecting your Auris tenant against unauthorized access, credential stuffing, brute-force attacks, and automated abuse. All security protections operate at the platform level and apply across all applications in your tenant.
Access Security Settings via Console → Settings → Security.
IP Allow / Block Lists
IP rules let you explicitly permit or deny login attempts from specific IP addresses or CIDR ranges. Rules are evaluated before authentication, meaning a blocked IP is rejected before any credentials are checked.
How Rules Work
Auris evaluates IP rules in the following order:
- Block rules are checked first. If the incoming IP matches any block rule, the request is rejected immediately.
- Allow rules are checked next. If the tenant has any allow rules configured and the incoming IP does not match any allow rule, the request is rejected.
This means:
- If you have no IP rules, all IPs are permitted
- If you have only block rules, all IPs except those blocked are permitted
- If you have any allow rules, only IPs matching those allow rules are permitted (plus any explicitly blocked rules override the allow rules)
Rule Scope
| Scope | Behavior |
|---|---|
| Tenant-wide | Applies to all login attempts across all applications |
| Per-application | Applies only when logging in to a specific registered application |
Adding an IP Rule
Open IP Rules
Go to Settings → Security → IP Allow / Block Lists.
Click Add Rule
Click the Add Rule button.
Fill in the rule details
| Field | Required | Description |
|---|---|---|
| CIDR Range | Yes | IP address or CIDR block (for example, 192.168.1.0/24 or 203.0.113.42/32) |
| Rule Type | Yes | Allow or Block |
| Scope | Yes | Tenant-wide or a specific application |
| Label | No | A short name for administrative reference (for example, “Office Network”) |
| Note | No | Additional details about why this rule exists |
| Temporary | No | Whether this rule expires automatically |
| Expires At | If temporary | The datetime when this rule is automatically removed |
Save
Click Save. The rule takes effect immediately.
Common Use Cases
- Block a known bad actor’s IP range: Add a block rule for the attacker’s CIDR range
- Restrict an admin application to office IPs: Add allow rules for your office IP ranges and set scope to the admin application
- Temporary access for a contractor: Add a temporary allow rule that expires after their engagement ends
Be careful when adding tenant-wide allow rules. If you add an allow rule without also having rules that cover all legitimate users’ IP ranges, you may lock users out. Always test with a specific application scope before applying allow rules tenant-wide.
Brute-Force Protection
Brute-force protection automatically locks out user accounts after a configured number of consecutive failed login attempts. This defends against password guessing and credential stuffing attacks.
Configuration
Go to Settings → Security → Brute-Force Protection.
| Setting | Description | Default |
|---|---|---|
| Failed Attempts Threshold | Number of consecutive failures before lockout | 10 |
| Lockout Duration | How long the account is locked (minutes) | 15 |
| Lockout Duration Multiplier | Multiplier applied to lockout duration for repeated lockouts | 1 (no escalation) |
| Lockout Scope | Lock per IP, per account, or both | Per account |
Lockout Duration Multiplier
When set above 1, each subsequent lockout for the same account increases the lockout duration:
- First lockout: 15 minutes
- Second lockout (multiplier = 2): 30 minutes
- Third lockout: 60 minutes
- And so on
This escalation policy makes repeated automated attacks progressively more expensive.
Managing Locked Accounts
The Locked Accounts table on the Brute-Force Protection page shows all currently locked accounts:
| Column | Description |
|---|---|
| User | Email and name |
| Locked Since | When the account was locked |
| Unlocks At | When the lockout automatically expires |
| Reason | Which protection tier triggered the lockout |
Manual Unlock
Click Unlock next to any account to immediately release the lockout without waiting for the timer. Use this when a legitimate user contacts support after being locked out.
Suspicious Login Detection
Suspicious login detection analyzes each successful login for behavioral signals that may indicate account compromise. Unlike brute-force protection (which triggers on failures), suspicious login detection runs after authentication succeeds.
Detection Methods
Enable or disable each detector independently:
| Detector | Description | Recommended |
|---|---|---|
| New Device | Login from a device fingerprint not previously seen for this user | Yes |
| New IP Address | Login from an IP not previously used by this user | Optional (high volume on mobile) |
| New Country | Login from a country not previously seen for this user | Yes |
| Impossible Travel | Login location is physically unreachable from the previous login location in the elapsed time | Yes |
| VPN / Proxy | Login IP is identified as a VPN exit node, proxy server, or data center | Optional |
Actions Per Detection
For each detection type, configure what happens when a suspicious login is detected:
| Action | Behavior |
|---|---|
| Log Only | Record the event in audit logs. No user impact. |
| Notify User | Send an email to the user informing them of the suspicious login. |
| Block Login | Reject the authentication, even after successful credentials and MFA. |
| Require MFA | Demand an additional MFA factor if not already completed. |
You can set different actions for different detection types. A recommended starting configuration:
| Detector | Action |
|---|---|
| New Device | Notify User |
| New Country | Require MFA |
| Impossible Travel | Block Login |
| VPN / Proxy | Log Only |
Impossible Travel Configuration
| Setting | Description | Default |
|---|---|---|
| Maximum Travel Speed | Maximum km/h that the algorithm considers physically possible | 900 km/h (airplane speed) |
| GeoIP Provider | The service used for IP-to-location mapping | ip-api.com (free) |
GeoIP Providers
| Provider | Cost | Accuracy | Notes |
|---|---|---|---|
| ip-api.com | Free (1000 req/min) | City level | Good for most use cases |
| MaxMind GeoIP2 | Paid license | City level | Higher accuracy, offline database |
To use MaxMind, enter your MaxMind license key in the GeoIP configuration and Auris will use the MaxMind API for lookups.
Reviewing Suspicious Login Events
Go to Settings → Security → Suspicious Logins to see a table of all detected events:
| Column | Description |
|---|---|
| User | Who authenticated |
| Timestamp | When the login occurred |
| Detection Reason | Which detector was triggered |
| Severity | Low, Medium, or High |
| Action Taken | What Auris did (log, notify, block, require MFA) |
| Reviewed | Whether an administrator has reviewed this event |
Click any event to see full details including the source IP, resolved location, device fingerprint, and the previous login data that triggered the anomaly.
Mark events as reviewed to track which suspicious logins have been investigated.
CAPTCHA
CAPTCHA integration adds a bot challenge to specified authentication pages, reducing automated account creation, login abuse, and credential stuffing attacks.
Supported Providers
| Provider | Type | Notes |
|---|---|---|
| Cloudflare Turnstile | Challenge-free / invisible | Recommended. No user interaction required in most cases. |
| hCaptcha | Image challenge | Privacy-focused alternative to reCAPTCHA |
| reCAPTCHA v3 | Score-based / invisible | Score-based, no explicit challenge shown to users |
Configuration
Select a CAPTCHA provider
Go to Settings → Security → CAPTCHA and choose your provider from the dropdown.
Obtain credentials from the provider
- Cloudflare Turnstile: Create a site at dash.cloudflare.com under Turnstile. Copy the Site Key and Secret Key.
- hCaptcha: Register at hcaptcha.com and create a site. Copy the Site Key and Secret Key.
- reCAPTCHA v3: Register at google.com/recaptcha . Copy the Site Key and Secret Key.
Enter credentials in the Console
Enter the Site Key (public, used in the browser) and Secret Key (used server-side for verification) in the CAPTCHA configuration form.
Configure the trigger
| Trigger | Behavior |
|---|---|
| Always | CAPTCHA challenge on every page load, for every user |
| On Suspicious | CAPTCHA triggered only when the IP or user agent appears suspicious |
| After Failures | CAPTCHA triggered after a configurable number of failed login attempts |
Choose which pages show CAPTCHA
Toggle which authentication pages should include the CAPTCHA challenge:
- Login page
- Registration page
- Password reset page
Set score threshold (reCAPTCHA v3 and Turnstile only)
For score-based providers, set the minimum score to accept. Requests scoring below the threshold are rejected as likely bots. Recommended starting value: 0.5.
Cloudflare Turnstile is the recommended provider because it is privacy-preserving, works without user interaction in most cases (no image puzzles), and is free for most traffic volumes. If your application is served behind Cloudflare, Turnstile performance is significantly improved.
Rate Limiting
Auris applies sliding-window rate limiting to all API endpoints to prevent abuse and protect against denial-of-service conditions. Rate limiting is configured at the platform level and is not fully customizable from the Console, but the current limits are visible in the Console.
Rate Limit Tiers
Go to Settings → Security → Rate Limiting to view the current configuration:
| Tier | Applies To | Default Limit | Window |
|---|---|---|---|
| Auth | Login, token exchange, password reset, magic link request | 10 requests | 1 minute |
| Sensitive | MFA verification, account settings changes, email changes | 5 requests | 1 minute |
| API | All authenticated API requests | 100 requests | 1 minute |
| Public | Unauthenticated endpoints (OIDC discovery, JWKS, health) | 30 requests | 1 minute |
Rate Limit Response Headers
When a rate limit is applied, the API returns HTTP 429 Too Many Requests with standard headers:
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1736000000
Retry-After: 60Note: Rate limit thresholds are configurable at the infrastructure level in
apps/api/.env. The Console page is read-only and shows the currently active configuration.
Attack Protection Dashboard
Go to Settings → Attack Protection for an overview dashboard showing security activity across all protection layers:
- Recent Blocked Attempts: Timeline chart of IP-blocked requests over the last 7 days
- Brute-Force Lockouts: Count of account lockouts, most targeted accounts
- Suspicious Login Events: Count by severity, actions taken
- CAPTCHA Failures: Rate of requests rejected by CAPTCHA score threshold
Use this dashboard during a suspected attack to monitor protection effectiveness in real time.
Related Guides
- Suspicious Login Detection — Technical Reference — How GeoIP lookup and impossible travel detection work
- Adaptive MFA — Risk-score-based MFA enforcement
- IP Rules API — Manage IP rules programmatically via the REST API
- CAPTCHA Integration — Developer guide for custom CAPTCHA integration