Login & security
These settings protect the login flow itself — the transport, the credential-guessing surface, and the browser.
Require TLS
Section titled “Require TLS”Whether the realm accepts plaintext HTTP.
- Recommended:
external requests(the default). Nevernonein production. - Ask the assistant: “Require SSL for all external requests on acme-prod.”
- Keycloak: Realm settings → General → Require SSL.
Brute-force protection
Section titled “Brute-force protection”Locks an account after repeated failed logins to stop password-guessing and credential-stuffing.
- Recommended: on, with temporary lockout and an increasing back-off.
- Ask the assistant: “Turn on brute-force protection for acme-prod.”
- Keycloak: Realm settings → Security defenses → Brute force detection.
Prefer temporary lockout over permanent lockout — permanent lockout lets an attacker disable known usernames (a denial-of-service lever).
Browser security headers
Section titled “Browser security headers”Keycloak sends a set of hardening headers with every login page.
- Recommended: keep the defaults —
X-Frame-Options: SAMEORIGIN(anti-clickjacking), a restrictiveContent-Security-Policy,X-Content-Type-Options: nosniff. - Keycloak: Realm settings → Security defenses → Headers.
Remember me
Section titled “Remember me”Lets users keep a session across browser restarts.
- Recommended: off for sensitive/admin pools; on is acceptable for consumer apps with a short SSO max lifespan.
- Ask the assistant: “Enable remember-me for acme-prod.”
- Keycloak: Realm settings → Login → Remember me.