GUIDE · SECURITY & ADMINISTRATION

Security & Administration Guide

Harden your ForsetiDesk installation with HTTPS, LDAP SSO, session controls, audit logging, and secure backup procedures.

Security Architecture

ForsetiDesk is built with a defense-in-depth approach. Every HTTP request passes through multiple security layers before reaching route handlers:

Helmet.js — sets HTTP security headers (CSP, HSTS, X-Frame-Options, X-XSS-Protection)
CORS — whitelist-only origin policy; rejects cross-origin requests from unlisted domains
Rate limiting — 200 requests/minute globally; 5 login attempts/15 minutes per IP+email
JWT authentication — Bearer token required on all /api/* routes except login and setup
Active user check — every authenticated request verifies the user account is still active in the database (deactivated accounts are rejected immediately even with a valid token)
Role enforcement — requireRole() on every protected route; CLIENT role is isolated to their own tickets only
Feature enforcement — enforceProFeature() on all Pro/Business/Enterprise endpoints

HTTPS / TLS Setup

ForsetiDesk includes a built-in TLS manager that can generate self-signed certificates or obtain trusted certificates from Let's Encrypt. Navigate to Admin → Security → TLS / Certificates.

Self-Signed Certificate (LAN Use)

Click the Self-Signed tab.
Select the IP addresses and hostnames to include in the Subject Alternative Name (SAN) list. The system auto-detects local IPs.
Add any additional domains or public IPs as needed.
Click Generate Certificate. ForsetiDesk creates a CA certificate and a server certificate signed by that CA.
Enable HTTPS via the toggle. The service restarts on HTTPS; HTTP on the old port issues a redirect.
Click Download CA Certificate and distribute it to all client machines and mobile devices that will access the server. Install the CA in the OS trusted certificate store.

Browser trust: After installing the CA cert on a machine, restart the browser. Chrome requires the CA cert to be imported into the system trust store (not just the browser's own store) for the connection to appear fully trusted.

Custom Certificate Upload

If you have a certificate from an internal CA or a commercial CA, click Replace Certificate and upload the PEM-format certificate and private key files. ForsetiDesk will use your certificate instead of generating one.

Let's Encrypt (Public Domain)

For servers accessible on the internet with a registered domain, Let's Encrypt provides free, automatically-renewed, publicly-trusted certificates.

Prerequisites

A registered domain name (e.g., desk.yourcompany.com) with an A record pointing to your server's public IP
Port 80 accessible from the internet (needed only during certificate issuance/renewal)
Port 443 accessible from the internet (for ongoing HTTPS access)

Setup

Click the Let's Encrypt tab in Admin → Security → TLS / Certificates.
Enter your domain (e.g., desk.yourcompany.com) and a contact email for expiry notices.
Click Request Certificate. ForsetiDesk starts a temporary HTTP server on port 80 to complete the ACME HTTP-01 challenge.
Once issued, HTTPS is enabled automatically. The certificate is valid for 90 days and auto-renews at 3am daily (when it is within 30 days of expiry).

Port 80 conflict: If IIS or another service holds port 80, the ACME challenge will fail. Run net stop W3SVC in an administrator command prompt before requesting the certificate. Port 80 can be blocked again after issuance.

Configurable Session Timeout

Control how long authenticated sessions remain valid before users must log in again. Navigate to Admin → Security → Session.

Available timeout values: 10, 15, 30, 45, 60 (default), 90, 120, 180, and 240 minutes.

Warning Banners

ForsetiDesk warns users before their session expires:

5 minutes remaining — blue informational banner with a Refresh Session button
1 minute remaining — amber urgent banner
Session expired — automatic logout and redirect to the login page with an expiry message

Users can extend their session by clicking Refresh Session without re-entering their password.

Changing the session timeout only affects new tokens issued after the change. Existing sessions continue until their original expiry.

Password Policy

All user passwords must meet these requirements:

Minimum 12 characters
At least one uppercase letter
At least one lowercase letter
At least one number
At least one special character (!@#$%^&* etc.)

Passwords are hashed with bcrypt (10 rounds) before storage. Plaintext passwords are never stored, logged, or transmitted after the initial API call.

Account Lockout

After 5 failed login attempts within 15 minutes from the same IP address, ForsetiDesk returns a rate-limit response. The lockout is automatic and self-resolves after 15 minutes. Admins can reset the rate limiter by restarting the service.

Rate Limiting

Endpoint	Limit	Window
All API endpoints	200 requests	Per minute, per IP
POST /api/auth/login	5 attempts	Per 15 minutes, per IP+email
LDAP test-connection	5 requests	Per minute, per IP
LDAP test-auth	5 requests	Per minute, per IP

Requests from localhost skip the login rate limit to allow automated testing and installer scripts.

LDAP / Active Directory SSO

Enterprise licenses can integrate ForsetiDesk with an LDAP directory (Active Directory, OpenLDAP, etc.) for single sign-on authentication.

Enterprise feature: LDAP/AD SSO requires an Enterprise license.

Configuration

Go to Admin → Security → LDAP / AD.
Enter your LDAP server details:

Field	Description
Host	LDAP server hostname or IP (e.g., `dc01.yourcompany.com`)
Port	389 for LDAP, 636 for LDAPS
Use TLS	Enable for LDAPS (recommended for production)
Bind DN	Service account DN (e.g., `CN=svc_forseti,OU=ServiceAccounts,DC=corp,DC=com`)
Bind Password	Service account password (stored AES-256-GCM encrypted)
Base DN	Where to search for users (e.g., `OU=Users,DC=corp,DC=com`)
Username Attribute	`sAMAccountName` for AD, `uid` for OpenLDAP
Email Attribute	Usually `mail`
Name Attribute	Usually `displayName` or `cn`

Click Test Connection to verify the bind account can reach the LDAP server.
Click Test Authentication and enter a test user's credentials to verify end-to-end authentication.
Click Save. LDAP auth is now active alongside local auth.

How LDAP Auth Works

When a user logs in, ForsetiDesk first checks if an active local account with that email exists and has authSource = LDAP.
If found, credentials are validated against the LDAP server using a simple bind.
If no account exists but LDAP auth succeeds, ForsetiDesk auto-provisions an account with the TECH role. An admin can then upgrade the role as needed.
ADMIN accounts always fall back to local authentication regardless of LDAP config — this prevents lockout if the LDAP server becomes unavailable.

User Audit Log

The User Audit Log records all admin-initiated user modifications for compliance and forensics. This is an Enterprise feature.

Navigate to Admin → Users → Audit Log to view a chronological list of all actions with the actor, target user, action type, and timestamp.

Logged actions include: user created, user updated (with which fields changed), user deactivated, user reactivated, role changed, password reset, mobile access revoked, and user deleted.

The audit log is append-only and cannot be edited or deleted, even by ADMINs. It is stored in the UserAuditLog database table.

Backup & Restore

ForsetiDesk uses PostgreSQL's pg_dump for backups. This is a Pro feature.

Creating a Backup

Go to Admin → Database → Backup.
Click Create Backup Now. A timestamped SQL dump is written to the backup directory (default: C:\Program Files (x86)\ForsetiDesk\backups\).
The backup appears in the list with size and creation time. Click Download to save a copy off-server.

Restoring a Backup

In the Backup panel, select a backup file from the list.
Click Restore and confirm. This will drop and recreate the database using the selected backup file.
The service restarts automatically after a successful restore.

Warning: Restore is a destructive operation. All data created after the backup date will be lost. Always create a fresh backup before restoring an older one, in case you need to roll back the rollback.

Configuring the Backup Path

Set a custom backup storage directory in Admin → Database → Backup → Settings. This is useful for pointing backups to a network share or external drive.

BYODB — External Database

Enterprise licenses can connect ForsetiDesk to an external PostgreSQL server (14+) instead of the bundled local instance. This enables use of managed database services, HA clusters, or centralized database administration.

Enterprise feature: BYODB requires an Enterprise license.

Go to Admin → Database → Configuration.
Enter the external database URL (e.g., postgresql://user:[email protected]:5432/forsetidb?sslmode=require).
Click Test Connection to verify connectivity.
Click Apply. ForsetiDesk runs a schema push (prisma db push) against the external database to create all required tables.
The service restarts and now uses the external database.

To revert to the local bundled database, click Revert to Local.

JWT Secrets & Configuration

ForsetiDesk uses RSA-signed JWTs for session tokens and a separate symmetric secret for general JWT signing. These are stored in C:\Program Files (x86)\ForsetiDesk\config\secrets.cfg.

Never commit secrets.cfg to version control. This file contains your JWT_SECRET and DATABASE_URL. Keep it backed up securely and restrict file-system access to the service account.

To rotate the JWT secret, update the JWT_SECRET value in secrets.cfg and restart the service. All existing sessions will be invalidated — users will need to log in again.

Security Hardening Checklist

☐ Change the default admin password immediately after installation
☐ Enable HTTPS — use Let's Encrypt for internet-facing servers, self-signed for LAN-only
☐ Set an appropriate session timeout for your environment (Admin → Security → Session)
☐ Configure SMTP notifications so security-relevant events (SLA breach, QA rejection) are emailed to the right people
☐ Enable User Audit Log (Enterprise) for compliance requirements
☐ Schedule regular backups and test restores periodically
☐ Restrict Windows Firewall to only expose ports 443 (HTTPS) and briefly 80 (Let's Encrypt renewal)
☐ Run ForsetiDesk as a dedicated limited-privilege Windows service account (not LocalSystem)
☐ Keep ForsetiDesk updated — each release includes security fixes; review the changelog before upgrading
☐ If using LDAP, use LDAPS (port 636 with TLS) — never plain LDAP in production
☐ Store the secrets.cfg backup in a secrets manager, not in source control
☐ Periodically review the User Audit Log for unexpected user creation or role escalations