There are following steps need to follow in Magento 2 admin to be secure Magento 2 Admin, only authorized user can access system
- Go To Magento 2 Admin
- Stores–Configuration–Advanced–System–Admin
- Admin User Emails
There are following three parts are given under Admin User Email Forgot Password Email Template: Select Forgot Password Email Template from drop down email template--by default Forgot Admin Password (Default). Forgot & Reset Email Sender: Select Contact List to send forget & reset password to specified email-- By Default General Contact, whatever email written in General Contact, forget & reset password email sent to that email. There is another option Sales Representative or any custom contact list from drop down list User Notification Template: Select User Notification Email Template which is responsible for all users activity email notification template to Admin
- Admin Base URL
There are following three parts are given under Admin User Email Use Custom Admin URL: Select Yes if Admin User want Custom Admin URL Use Custom Admin Path: Select Yes if Admin User want Custom Admin Path Custom Admin Path: Provide Custom Admin Path Name if Admin user want
- Startup Page
Once Admin Uses logged in Magento 2 admin by default redirects on Dashboard Page , if Admin User want, select another admin redirection page from drop down list, where all admin pages are given as per below Dashboard drop down list
- Security
There are following three parts are given under Security Admin Account Sharing: By Default, it is Yes, because Admin User can login in multiple system, by using same Admin User Credentials If It is No, Admin User can not login in multiple system, by using same Admin User Credentials. Password Reset Protection Type: By Default IP and Email, if Admin User can select by IP or Email or None from drop down list.Recovery Link Expiration Period (hours): Password Recovery Link expiation period , By Default 2 Hours, If Admin User wants to put more Hours, can modify value more than 2. Max Number of Password Reset Requests: Limit the number of password reset request per hour. Use 0 to disable. . Min Time Between Password Reset Requests: Delay in minutes between password reset requests. Use 0 to disable Add Secret Key to URLs: By default Yes, If Admin User do not want to put Secret Key to URLs, can select No from drop down. Login is Case Sensitive: By default No , If Admin User want to Login User Name as Case Sensitive, can select Yes from drop down. Admin Session Lifetime (seconds): By default 900 Seconds [15 Minute], If Admin User want to modify , can modify values, but enter at least 60 seconds and at most 31536000 seconds (one year). Maximum Login Failures to Lockout Account: By default 6, maximum Login failures attempt, if not putting correct Admin Credentials, If Admin User want to modify , can put different value, this feature will be disabled if the value is empty. Lockout Time (minutes): By default Lockout Time 30 minutes, increase as per requirement. Password Lifetime (days): By default 90 days, increase as per requirement. this feature will be disabled if the value is empty. Password Change: By default forced, If Admin User want to change can select Recommendation from drop down list. In case forced whatever strong password while creating / updating password it will accept. In case Recommendation , there are some strong password steps will be displayed, while creating / updating password
HTTP Security Headers Checker Tool
https://www.site2info.com/sitesecurity.php
All Website HTTP Security Headers
To Protect Website Against Vulnerability Attack, Hacker Attack, Virus Attack
Magento 2 All Database Tables [500 & more Tables]
HTTP Security Headers Checker Tool – Security Headers Response
How to add Feature-Policy Security Header
How to add X-Content-Type-Options Security Header
How to add Expect-CT Security Header
How to add X-Frame-Options Security Header
How to add X-XSS-Protection Security Header
How to add Referrer Policy Security Header
Referrer Policy Header Security
How to add HTTP Strict Transport Security (HSTS)
How To Set CSRF Token in Magento 2