Security best practices

Learnsby provides a variety of security measures that you can implement to ensure that your Learnsby LMS is protected and secure.

Important

If you are ever in doubt about the security of your Learnsby LMS, feel free to contact Learnsby directly. In the event of a suspected security breach, you should submit a ticket with the subject “Security” along with the details. Alternatively, you can send email to security@learnsby.com.

Following the best practices in this document will go a long way in reducing the risk of a security breach. However, even the best security policies will fall short if they are not followed. Learnsby strongly recommends that users and administrators be educated about their role in maintaining a secure environment.

Increase password security for your administrators

You should require administrators to select passwords that they are not using elsewhere on the internet for their Learnsby account. Should a user reuse a password, and that password is compromised, all the user’s accounts that share the same login credentials becomes vulnerable. Not even the best security practices can protect your Learnsby LMS when password reuse by your administrators is widespread.

Encourage users to use password management software like LastPass. A password manager can help your users maintain strong unique passwords for all of their accounts.

Set up a password policy

Set up a password policy by browsing to Setup > Security > Site security settings. By default, the password policy requires a password length of 8 characters and should contain at least 1 digit, 1 lower case letter, 1 upper case letter and 1 non-alphanumeric character. Enforcing password complexity goes a long way to ensure that users choose good passwords.

Limit the number of users with administrator access

Administrators have access to parts of your Learnsby LMS that regular users do not. For example, security settings, billing information, personal details, etc. By limiting the number of users who have administrator access, you will reduce your security risk.

Restrict access to your Learnsby LMS using IP restrictions

In Learnsby, an administrator can restrict access to a range of IP addresses, or a specific IP address. This means that you are able to allow only users within your organisation to access your Learnsby LMS while blocking all other internet users. You can set up IP restrictions by browsing to Setup > Security > IP blocker.

For more information about this feature, see Restricting access to your Learnsby LMS using IP restrictions.

Limit access or follow secure coding practices if using the API

You can use the Learnsby API to extend the functionality of your Learnsby LMS. By default, API access is disabled. If you don’t anticipate using these tools to extend Learnsby, leave the API disabled. You can disable the API by browsing to Setup> API > Advanced features and deselecting Enable web services.

If you want to use the Learnsby API, we strongly recommend that you follow secure coding best practices. A good reference for this is the Open Web Application Security Project (OWASP), which you can find here.

Cross Site Scripting (XSS)

Some forms of rich content used to enhance courses use the same technologies that malicious users can use for cross-site scripting attacks. If Learnsby was solely concerned with security, it would not allow this. However, Learnsby is also concerned with education and so a balance has to be struck between securing the system and supporting course needs. That said, access to post XSS-capable content is strictly controlled. In general, this means that administrators and instructors can post XSS-capable content, but learners can not.