Security Settings are part of the Core Settings in Countly. To access them, in the Sidebar, go to Management > Settings, then select Security from the Core Settings list.
The Security Settings section allows you to configure authentication policies, password requirements, rate limiting, HTTP headers, and proxy connections for your Countly Server. These settings help you enforce your organization's security policies and protect both the Countly interface and API endpoints from unauthorized access.
Changes to Security settings require Global Admin privileges.
Login and Authentication
These settings control how Countly handles login attempts and account lockouts to protect against brute-force attacks.
| Setting | Description | Default |
|---|---|---|
| Allowed login attempts | The number of incorrect login attempts allowed before the account is temporarily blocked. After reaching this limit, the account is locked for the duration specified by the block time increment setting. | 3 |
| Incorrect login block time increment | The incremental period of time (in seconds) that an account is blocked after the allowed number of incorrect login attempts is exceeded. Each subsequent lockout may increase by this increment. | 300 seconds (5 minutes) |
Password Policies
Password policy settings allow you to define the minimum requirements for user passwords, enforcing stronger credentials across your Countly Server.
| Setting | Description | Default |
|---|---|---|
| Minimum password length | The minimum number of characters required in a password. | 8 |
| Password must contain an uppercase character | When enabled, passwords must contain at least one uppercase letter. | Enabled |
| Password must contain a number | When enabled, passwords must contain at least one digit (e.g., 0 through 9). | Enabled |
| Password must contain a special symbol | When enabled, passwords must contain at least one special symbol (a character that is not a number or Latin letter). | Enabled |
| Password expiration (in days) | The number of days after which a user must reset their password. Set to 0 to disable password expiration entirely. | 0 (no expiration) |
| Password rotation | The number of previous passwords that a user cannot reuse when setting a new password. This prevents users from cycling back to recently used passwords. | 3 |
| Password autocomplete | Enables or disables the browser autocomplete feature on login forms. Disabling this prevents browsers from offering to save or auto-fill credentials. | Enabled |
Rate Limiting
Rate limiting settings help protect your Countly Server from excessive requests by restricting the number of allowed requests within a specific time window.
| Setting | Description | Default |
|---|---|---|
| Dashboard Rate Limit Time (seconds) | The time window (in seconds) during which Countly monitors the number of requests. If the request limit is reached within this window, additional requests are blocked. | 60 seconds |
| Dashboard Request Rate Limit | The maximum number of requests allowed per time window for the Countly interface. | 500 |
| API Rate Limit Time (seconds) | The time window (in seconds) for API rate limiting. Set to 0 to disable API rate limiting. Changing this setting requires a server restart. | 0 (disabled) |
| API Request Rate Limit | The maximum number of API requests allowed per time window. Set to 0 to disable API rate limiting. Changing this setting requires a server restart. | 0 (disabled) |
HTTP Response Headers
These settings allow you to add custom HTTP response headers to both the Countly interface and API responses. Custom headers are commonly used to enforce Content Security Policy, CORS, and other browser security mechanisms.
| Setting | Description |
|---|---|
| Additional Dashboard HTTP Response headers |
Custom headers added to all Countly interface responses. Enter one header per line
in the format Header-Name:value. Default headers include X-Frame-Options,
X-XSS-Protection, Strict-Transport-Security, and X-Content-Type-Options.
|
| Additional API HTTP Response headers |
Custom headers added to all API responses. Enter one header per line in the format
Header-Name:value. Default headers include X-Frame-Options,
X-XSS-Protection, Strict-Transport-Security, and Access-Control-Allow-Origin.
|
| Robots.txt |
Defines the content of the robots.txt file served by the Countly Server.
Customize this to control what search engine crawlers can index. By default, all
crawling is disallowed.
|
Proxy Configuration
If your Countly Server connects to external services through a proxy, configure the proxy connection details here. These settings apply to all outbound connections made by the server.
| Setting | Description | Default |
|---|---|---|
| Proxy Hostname | The hostname or IP address of your proxy server. | (empty) |
| Proxy Port | The port number of your proxy server. | (empty) |
| Proxy Username | The username for proxy authentication, if required. | (empty) |
| Proxy Password | The password for proxy authentication, if required. | (empty) |
| Proxy Type | The protocol type used by the proxy server (e.g., HTTPS). | https |
FAQ and Troubleshooting
How do I enforce stronger password policies?
Enable all three password complexity requirements (uppercase character, number, and special symbol), increase the minimum password length, and set a password expiration period. You can also increase the password rotation count to prevent users from reusing recent passwords.
How do I enable API rate limiting?
Set the "API Rate Limit Time" and "API Request Rate Limit" to values greater than 0. For example, setting the time window to 60 seconds and the request limit to 1000 would allow a maximum of 1000 API requests per minute. Note that changes to API rate limiting require a server restart to take effect.
How do I configure CORS headers for the API?
Add or modify the Access-Control-Allow-Origin header in the "Additional API HTTP Response headers" field. By default, it is set to * (allow all origins). Replace * with your specific domain to restrict access.