Skip to content

Login & security

These settings protect the login flow itself — the transport, the credential-guessing surface, and the browser.

Whether the realm accepts plaintext HTTP.

  • Recommended: external requests (the default). Never none in production.
  • Ask the assistant: “Require SSL for all external requests on acme-prod.”
  • Keycloak: Realm settings → General → Require SSL.

Locks an account after repeated failed logins to stop password-guessing and credential-stuffing.

  • Recommended: on, with temporary lockout and an increasing back-off.
  • Ask the assistant: “Turn on brute-force protection for acme-prod.”
  • Keycloak: Realm settings → Security defenses → Brute force detection.

Prefer temporary lockout over permanent lockout — permanent lockout lets an attacker disable known usernames (a denial-of-service lever).

Keycloak sends a set of hardening headers with every login page.

  • Recommended: keep the defaults — X-Frame-Options: SAMEORIGIN (anti-clickjacking), a restrictive Content-Security-Policy, X-Content-Type-Options: nosniff.
  • Keycloak: Realm settings → Security defenses → Headers.

Lets users keep a session across browser restarts.

  • Recommended: off for sensitive/admin pools; on is acceptable for consumer apps with a short SSO max lifespan.
  • Ask the assistant: “Enable remember-me for acme-prod.”
  • Keycloak: Realm settings → Login → Remember me.