Authentication
Protection from brute force attacks
When an administrator connects to SMC via the web interface, the connection is now temporarily blocked after several unsuccessful authentication attempts.
Authorities and certificates
Certificate security
For security reasons, users who have access to SMC via the console of their hypervisor or in SSH, can no longer read the certificate used to sign connecting packages and deployment files.
Only the "root" user can do so now.
Signing connecting packages and deployment files
The certificate used to sign connecting packages and configuration deployment files has been updated to use a more recent and more secure algorithm.
Configuration backup
Backups
Now, only the super administrator ("admin" user) can back up the configuration of the SMC server.
Securing configuration backups
Backups of the SMC server's configuration can now be encrypted with a password. The password must comply with the password policy set for administrators.
System
HSTS header
The SMC server now supports the HSTS security header.