Security Settings Page in App Panel

[kc-diabeat]

Description:
To enhance security awareness and provide quick access to critical security configurations, we propose adding a "Security Settings" page to the App Panel at the project level. This page would offer a checklist-style interface, displaying various security-related features and their statuses. This approach would allow users/admins to verify and ensure adherence to application security from the App Panel.

Proposed Checklist for Security Settings (WIP):
The Security Settings page should display the following items, with a visual indicator (e.g., green for secure, red for insecure) for each:

1. Debug Mode: Verify if Debug = False.
2. IP Restriction: Ensure App Panel access is IP-restricted. Show the allowed IP's
3. Account Lockout Time: Display the duration of account lockouts after failed attempts.
4. Allowed Password Attempts: Show the configured limit for failed login attempts.
5. Password Age: Display the maximum age for passwords before expiration.
6. HTTPS Only: Verify if HTTPS-only is enforced.
7. Password Age Policies: Check if password age policies are in place for all users.
8. Password Strength Policies: Confirm if password strength requirements (e.g., complexity, length) are enforced for all users.
9. Default IDs or Passwords: Ensure no default IDs or passwords are active in production.
10. Concurrent Sessions Disabled: Verify if concurrent sessions are disallowed to prevent session hijacking.
11. Server Time Synchronization: Confirm if the server time is synchronized with NTP.
12. Two-Factor Authentication (2FA): Check if 2FA is enforced for all user accounts in applications.
13. SSO/OIDC: Verify if users SSO/OIDC is enforced for all application users.
14. Cross-Site Scripting (XSS) Protection: Verify if XSS protection headers are enabled in the HTTP response (e.g., X-XSS-Protection).
15. Content Security Policy (CSP): Ensure a Content Security Policy is set to help prevent data injection attacks like XSS.
16. SQL Injection Protection: Confirm that prepared statements or ORM protections are in place to prevent SQL injection vulnerabilities.
17. Clickjacking Protection: Check for X-Frame-Options headers to prevent clickjacking attacks.
18. Secure Cookies: Verify that cookies have secure and HttpOnly flags set to prevent access by JavaScript and ensure they’re sent only over HTTPS.
19. API Rate Limiting: Ensure API endpoints have rate-limiting mechanisms to mitigate brute-force and DoS attacks.
20. Audit Logging: Confirm if audit logging is enabled for critical actions (e.g., login attempts, password changes, sensitive data access).
21. Data Encryption in Transit: Verify that data in transit is encrypted, typically with TLS, for secure communication.
22. Security Headers Compliance: Check for other essential HTTP security headers (e.g., Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy).
23. External Resources Control: Confirm that only trusted and necessary external resources (e.g., JavaScript libraries, stylesheets) are allowed.

Acceptance Criteria:

• Security Settings page displays all checklist items listed above.
• Each item reflects the current configuration status (e.g., enabled/disabled, compliant/non-compliant).
• Clear, color-coded indicators (e.g., green/red) for secure/insecure status for each setting.
• Tooltip or additional information option for each item to provide further guidance on compliance.