Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Gateway Tutorials
Console Tutorials
First Login SetupCreate ConfigurationTemplate LibraryDashboard CustomizationEvents InvestigationEscalation WorkflowTeam Access SetupGateway Key ManagementGit Integration SetupWebhook ConfigurationNotification ChannelsExport EvidenceKnowledge Base ConsoleSecurity SettingsAudit Log ReviewAgent RegistrationHistory SessionsGateway ActionsBilling PlansMy Usage DashboardWallets AllocationMulti Config ManagementConsole Keyboard Shortcuts
Chat Workbench Tutorials
CLI Reference
Policy Reference
FAQ

Tutorial: Configuring Security Settings

This tutorial walks you through configuring security controls in the Keeptrusts management console, including session management, network restrictions, authentication policies, and API key safeguards.

Use this page when

  • You need to configure session timeouts, IP allowlists, or 2FA enforcement for your organization.
  • You want to set password complexity requirements or account lockout policies.
  • You are restricting API key creation permissions or enforcing key expiry.
  • You need to harden the console for a high-security environment (finance, defense, healthcare).

Primary audience

  • Primary: Security engineers and organization admins hardening the console’s authentication and access controls
  • Secondary: Compliance officers verifying security controls for audit; IT admins managing SSO and network restrictions

Prerequisites

  • A Keeptrusts account with Admin role
  • Access to your organization's network CIDR ranges (for IP allowlists)
  • A TOTP authenticator app (for 2FA setup)

Why Security Settings Matter

The Keeptrusts console is your organization's control plane for AI governance. Compromised access to the console could allow an attacker to disable policies, exfiltrate event data, or modify gateway configurations. Hardening security settings reduces this risk.

Step 1: Navigate to Security Settings

  1. Log in to the Keeptrusts console.
  2. Open Settings from the left navigation sidebar.
  3. Select the Security tab.

The security settings page is organized into sections covering session management, network controls, authentication, and API access.

Step 2: Configure Session Timeout

Session timeouts automatically log out inactive users to prevent unauthorized access from unattended sessions.

  1. Under Session Management, locate the Session Timeout field.
  2. Choose a timeout duration:
DurationRecommended For
15 minutesHigh-security environments (finance, defense)
30 minutesStandard enterprise use
1 hourDevelopment and testing environments
4 hoursLow-risk internal tools
  1. Toggle Idle Timeout to enforce timeout based on inactivity (no mouse or keyboard input).
  2. Click Save.

When a session times out, the user is redirected to the login page. Unsaved form data is lost.

Set shorter timeouts for production consoles and longer timeouts for development instances to balance security with usability.

Step 3: Configure IP Allowlist

IP allowlists restrict console access to specific network ranges, blocking login attempts from unauthorized locations.

  1. Under Network Controls, locate the IP Allowlist section.
  2. Click Add Range.
  3. Enter a CIDR range (e.g., 10.0.0.0/8 for internal networks or 203.0.113.50/32 for a specific IP).
  4. Add a label for the range (e.g., Corporate VPN, Office London).
  5. Repeat for all authorized network ranges.
  6. Toggle Enforce Allowlist to activate.
  7. Click Save.
Before enforcing the allowlist, verify that your current IP address is included. Locking yourself out requires database-level intervention to recover.
ScenarioAction
Remote workers on VPNAdd VPN exit IP ranges
Cloud-hosted CI/CD accessing APIAdd CI runner IP ranges
Emergency accessKeep a break-glass CIDR documented offline

Step 4: Review CSRF Settings

Keeptrusts uses CSRF tokens to prevent cross-site request forgery attacks. The console automatically includes CSRF tokens in all state-changing requests.

  1. Under CSRF Protection, review the current configuration.

  2. The console uses the x-keeptrusts-csrf-token header for all POST, PUT, PATCH, and DELETE requests.

  3. CSRF protection is enabled by default and cannot be fully disabled.

  4. You can configure the Token Rotation frequency:

    • Per Session — A single token for the session lifetime
    • Per Request — A new token for every state-changing request (strictest)

  5. Click Save after making changes.

Step 5: Set Password Policy

Password policies enforce minimum complexity requirements for local authentication accounts.

  1. Under Authentication, locate the Password Policy section.
  2. Configure the requirements:
SettingDescriptionRecommended
Minimum LengthMinimum password character count12+
Require UppercaseAt least one uppercase letterYes
Require NumberAt least one numeric digitYes
Require Special CharacterAt least one symbolYes
Password HistoryPrevent reuse of the last N passwords5
Max AgeForce password change after N days90
  1. Click Save.

Existing users are prompted to update their passwords on next login if their current password does not meet the new requirements.

Step 6: Enforce Two-Factor Authentication

Two-factor authentication (2FA) adds a second verification step to the login flow using a TOTP authenticator app.

  1. Under Authentication, locate the Two-Factor Authentication section.
  2. Choose an enforcement level:
LevelBehavior
OptionalUsers can enable 2FA in their profile
Required for AdminsAdmin-role users must enable 2FA
Required for AllEvery user must enable 2FA
  1. Set a Grace Period for users who have not yet enrolled (e.g., 7 days).
  2. Click Save.

Users who have not enrolled in 2FA by the end of the grace period are locked out until they complete enrollment. Admins can reset a user's 2FA from the Users management page.

Start with Required for Admins and expand to all users after your team is familiar with the enrollment process.

Step 7: Configure API Key Restrictions

API key restrictions limit how API keys can be used, reducing the blast radius if a key is compromised.

  1. Under API Access, locate the Key Restrictions section.
  2. Configure the available controls:
SettingDescription
Max Key AgeMaximum lifetime before a key must be rotated
IP BindingRestrict keys to specific IP ranges
Rate LimitingMaximum requests per minute per key
Scope EnforcementRequire all keys to have an explicit scope (read-only, write, admin)
  1. Click Save.

These restrictions apply to both access keys and gateway keys. Existing keys that violate the new restrictions are flagged for rotation.

Step 8: Review Security Dashboard

The Security tab includes a dashboard summarizing your security posture:

MetricDescription
Active SessionsNumber of currently active user sessions
Failed Logins (24h)Count of failed login attempts in the last day
Keys Expiring SoonAPI and gateway keys expiring within 7 days
Users Without 2FAUsers who have not enrolled in two-factor authentication
Allowlist StatusWhether IP allowlist enforcement is active

Use this dashboard to identify and address security gaps.

Step 9: Test Security Configuration

After making changes, verify the configuration:

  1. Session timeout: Open an incognito window, log in, and wait for the timeout period.
  2. IP allowlist: Try accessing the console from an IP outside the allowed ranges.
  3. Password policy: Create a test account and verify the policy is enforced.
  4. 2FA: Enroll a test account and verify the TOTP flow works correctly.
  5. API key restrictions: Test an API call with a key that violates the new restrictions.

Best Practices

  • Start with moderate settings — Avoid locking out your team by tightening settings incrementally.
  • Document break-glass procedures — Have a documented recovery plan for admin lockouts.
  • Enforce 2FA for all users — It is the single most effective control against credential compromise.
  • Review failed logins weekly — Spikes in failed logins may indicate brute-force attempts.
  • Audit IP ranges quarterly — Remove stale ranges and add new office or VPN ranges.

Next steps

For AI systems

  • Canonical terms: Keeptrusts console, Settings > Security, session timeout, IP allowlist, CSRF protection (x-keeptrusts-csrf-token), password policy, 2FA/TOTP enforcement, API key restrictions, account lockout.
  • Related features: audit log (security events), gateway keys (key restrictions), team access control (RBAC).
  • Best next pages: Gateway Key Management, Audit Log Review, Team Access Setup.

For engineers

  • Session timeout test: Set a 15-minute timeout, wait 16 minutes idle, and confirm you are redirected to the login page.
  • IP allowlist: Add your office CIDR, then attempt access from a different network and verify you receive a 403 Forbidden.
  • 2FA enrollment: Enable 2FA enforcement, log out, and confirm that login now requires a TOTP code after password entry.
  • Troubleshooting: If you lock yourself out via IP allowlist, access the API directly to remove the restriction, or contact your platform administrator.

For leaders

  • Compliance alignment: Session timeouts, 2FA, and IP restrictions map directly to SOC 2 CC6.1, ISO 27001 A.9, and NIST 800-53 AC controls.
  • Risk reduction: The console is the governance control plane — hardening access prevents unauthorized policy modification or data exfiltration.
  • Progressive hardening: Start with 2FA and session timeouts (low friction), then add IP allowlists as you identify stable access patterns.