ShelterOps

Security Settings

ShelterOps is designed to require a username and password to log in.  Once logged in, a user can only access modules in which the user has been given permission.  Access permissions can be defined per user for each module from within the Users module, with additional admin level permission also available (Delete, Reports, Users, Setup, Audit).   Users can only be created by a user with Setup or User permissions.

Sessions for logged in users are automatically recreated every 30 minutes in order to minimize the possibility of session hijacking. 

In order to add or modify data, users are required to enter a PIN for each addition or modification.  This prevents users with insufficient permissions from entering or modifying data on another user's workstation.

The software can be configured to restrict log in between specific time periods (for example: from 10pm to 5am).  Users with Setup permissions will still be able to log in during the restricted time period.

To further secure your installation of the software, it is recommended you utilize SSL encryption.  To enable SSL encryption using the SSL certificate on your server, add the following lines to the .htaccess file in the root directory of ShelterOps.  Change the folder name to match the directory of ShelterOps, and change the URL to match the domain of your website.

Options -Indexes
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} MyShelterOpsFolder
RewriteRule ^(.*)$ https://MyWebsite.com/MyShelterOpsFolder/$1 [R,L]

Additional security recommendations include hardening your web server with ModSecurity and enabling OSWASP.