Documentation Scope

This guide covers:

• Core security features in Totara
• Protection against common cyber attacks
• Encryption and data protection
• Security logging and auditing
• International compliance standards (GDPR, ISO 27001, FERPA, HIPAA)
• Cybersecurity best practices

How Totara Supports Cybersecurity Critical

Totara provides comprehensive protection at multiple levels to ensure system and data security:

• Application-Level Protection: Input validation, data sanitization, SQL Injection protection
• Session-Level Protection: Secure session management, Session Hijacking protection
• Network-Level Protection: Mandatory HTTPS, HSTS, SSRF protection
• Database-Level Protection: Protected queries, sensitive data encryption
• File-Level Protection: File type validation, Upload Attack protection

Multiple Security Layers

Totara uses a Defense in Depth approach with multiple security layers:

1. Authentication Layer: Secure login, account lockout, multi-factor authentication
2. Authorization Layer: Capabilities and roles system, access control
3. Attack Protection Layer: CSRF Protection, XSS Protection, SQL Injection Protection
4. Encryption Layer: Password encryption, sensitive data encryption
5. Monitoring Layer: Security logs, security reports, alerts

Supported Security Standards

Totara supports compliance with the following security standards:

• OWASP Top 10: Protection against most common attacks
• CWE/SANS Top 25: Addressing common security vulnerabilities
• NIST Cybersecurity Framework: Comprehensive cybersecurity framework
• ISO/IEC 27001: Information security management system

Allowed IP List Critical

This feature allows you to specify IP addresses or IP ranges that are allowed to access the system. This is very important for security.

• Usage: Specify IP addresses allowed to access the admin panel
• Format: You can use individual IP addresses or ranges (e.g., 192.168.1.0/24)
• Location: Site administration → Security → IP blocker

Blocked IP List Important

Block specific IP addresses from accessing the system.

• Useful for blocking suspicious IPs or known attack sources
• Supports full IP ranges

Allow Before Block

When enabled, the allow list is checked first before the block list. This allows you to create exceptions.

Protect Usernames Recommended

Prevents usernames from being displayed on public pages, reducing the risk of brute force attacks.

• Enabled by default
• Protects against username guessing attempts

Force Login Critical

Requires all users to log in before accessing the site.

• Enabled by default in Totara
• Ensures content is protected

Prevent Multiple Logins

Prevents users from logging in from multiple devices simultaneously.

• Useful for session tracking
• Improves security in enterprise environments

Site Policy

Requires users to agree to the site policy before use.

• Policy content can be customized
• Separate policy for guests

Password Policy Critical

Enabling a strong password policy ensures users use secure passwords.

Password Reuse Limit

Prevents users from reusing previous passwords.

• Can specify number of previous passwords to avoid
• Value of 0 means no restrictions

Password Reset Time

Specifies the duration for which password reset links are valid.

• Default: 30 minutes
• Options: 5, 15, 30, 45, 60, 120, 240 minutes

Logout on Password Change

Automatically logs out the user from all devices when password is changed.

Token Deletion on Password Change

Deletes all tokens when password is changed, ending all active sessions.

Lockout Threshold Important

Number of failed login attempts before account lockout.

• Default: 5 attempts
• Options: 3, 5, 7, 10, 20, 30, 50, 100

Lockout Window

Time period during which failed login attempts are counted.

• Default: 60 minutes
• If user fails login within this period, account is locked

Lockout Duration

Duration for which account remains locked after exceeding lockout threshold.

• Default: 60 minutes
• Can be customized per organization needs

Persistent Login

Allows users to stay logged in for longer periods without re-authentication.

• Disabled by default
• Should be enabled with caution in sensitive environments

Login Failure Tracking

Tracks failed login attempts and can send notifications to administrators.

• Can display failed login attempts
• Notify administrators when threshold is exceeded
• Default: 10 failed attempts

Secure Cookies Critical

Requires cookies to be sent over HTTPS only.

• Enabled by default
• Protects against session hijacking attacks
• Required when using HTTPS

HTTP Only Cookies Critical

Prevents access to cookies via JavaScript.

• Enabled by default
• Protects against XSS attacks

Strict Transport Security (HSTS) Recommended

Requires browsers to connect via HTTPS only.

• Disabled by default
• Should be enabled in production environments
• Protects against downgrade attacks

Secure Referrers

Verifies that requests come from trusted sources.

Frame Embedding Prevention

Prevents site from being embedded in frames from other sites (clickjacking protection).

• Disabled by default
• Should be enabled unless you need to embed the site

Cross-Domain Policies

Controls how Flash and PDF interact with the site.

• Options: none, master-only, or default

CURL Blocked Hosts List Important

Prevents CURL connections to specific local IP addresses or ranges.

Default Blocked Values:

• Protects against SSRF (Server-Side Request Forgery) attacks
• Prevents access to internal network
• Very important for security

CURL Allowed Ports List

Specifies ports allowed for external connections via CURL.

• Can restrict connections to specific ports only
• Useful for reducing attack surface

XSS (Cross-Site Scripting) Protection Critical

Totara provides multi-level protection against XSS attacks:

• Automatic Input Sanitization: All inputs are automatically sanitized
• HTTP Only Cookies: Prevents access to cookies via JavaScript
• Content Security Policy: Can configure CSP to restrict JavaScript execution
• Output Escaping: All outputs are automatically escaped
• Rich Text Editor Security: Text editor automatically removes malicious code

CSRF (Cross-Site Request Forgery) Protection Critical

Totara uses Session Key system to protect against CSRF attacks:

• Session Key (sesskey): Every form contains a unique session key
• Automatic Verification: All sensitive requests are automatically verified
• SameSite Cookies: Additional browser-level protection
• Referrer Validation: Validates request sources

How it works: Every sensitive request requires a valid session key generated at login.

SQL Injection Protection Critical

Totara uses Prepared Statements to protect against SQL Injection:

• Prepared Statements: All database queries use prepared statements
• Parameter Binding: Secure parameter binding
• Input Validation: Data type validation before use
• Database Abstraction Layer: Abstraction layer protects against errors
• Query Sanitization: Query sanitization before execution

SSRF (Server-Side Request Forgery) Protection Important

Totara provides strong protection against SSRF attacks:

• CURL Blocked Hosts: Blocked hosts list prevents access to internal network
• Port Restrictions: Restrict allowed ports for external connections
• URL Validation: Validate URL format and address before request
• IP Whitelisting: Allowed and blocked IP lists

Default Blocked Values: All private IP addresses (127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12)

Clickjacking Protection Recommended

Totara provides protection against Clickjacking attacks:

• X-Frame-Options: Prevents site embedding in frames
• Frame Embedding Prevention: Setting to prevent embedding
• Content Security Policy Frame Ancestors: Additional protection via CSP

File Upload Attack Protection Important

Totara provides comprehensive protection against file upload attacks:

• File Type Validation: Validates file type before upload
• File Size Limits: Limits on uploaded file sizes
• Virus Scanning: Ability to integrate with antivirus software
• Quarantine: Quarantine suspicious files
• Content Validation: Validates file content

Brute Force Attack Protection Critical

Totara provides advanced protection against brute force attacks:

• Account Lockout: Account lockout after failed attempts
• Rate Limiting: Limit login attempt rate
• CAPTCHA: Ability to enable CAPTCHA after failed attempts
• IP Blocking: Block suspicious IP addresses
• Login Failure Tracking: Track and notify administrators

Password Encryption Critical

Totara uses strong encryption algorithms for passwords:

• bcrypt: Default algorithm for password encryption
• Argon2: Support for latest encryption algorithms
• Salt Generation: Unique salt generation for each password
• Password Hashing: One-way hashing encryption
• Cost Factor: Adjustable cost factor for increased security

Note: Passwords cannot be retrieved, only reset.

Sensitive Data Encryption

Totara provides capabilities for encrypting sensitive data:

• Database Encryption: Ability to encrypt data in database
• File Encryption: Encrypt sensitive files
• Session Encryption: Encrypt session data
• API Key Encryption: Encrypt API keys
• Configuration Encryption: Encrypt sensitive configuration settings

SSL/TLS Encryption Critical

Totara supports network-level encryption:

• HTTPS Enforcement: Force HTTPS usage
• TLS 1.2+: Support for latest TLS versions
• Certificate Validation: SSL certificate validation
• Secure Cookies: Cookies over HTTPS only
• HSTS: HTTP Strict Transport Security

Data at Rest Protection

Protection of stored data:

• Database Encryption: Database encryption
• File System Encryption: File system encryption
• Backup Encryption: Backup encryption
• Access Controls: File access controls

Data in Transit Protection

Protection of data during transmission:

• HTTPS Only: All connections via HTTPS
• TLS Encryption: TLS encryption for all connections
• Certificate Pinning: Ability to pin certificates
• Secure API Communication: Secure API connections

Security Logging System Important

Totara provides a comprehensive security logging system:

• Login Logs: Login logs (success/failure)
• Access Logs: Resource access logs
• Change Logs: System change logs
• Security Events: Security event logs
• Admin Actions: Administrator action logs

Security Reports

Totara provides comprehensive security reports:

• Security Overview Report: Comprehensive security status report
• Failed Login Report: Failed login attempts report
• User Activity Report: User activity report
• System Logs Report: System logs report
• Compliance Reports: Compliance reports

Location: Site administration → Reports → Security overview

Security Alerts

Totara provides a security alert system:

• Failed Login Alerts: Alerts on failed login attempts
• Security Event Alerts: Security event alerts
• System Anomaly Alerts: System anomaly alerts
• Email Notifications: Email notifications to administrators

Audit & Compliance

Totara provides tools for auditing and compliance:

• Audit Trail: Complete audit trail for all actions
• Data Access Logs: Data access logs
• Compliance Reports: Standards compliance reports
• Retention Policies: Log retention policies
• Export Capabilities: Ability to export logs for external auditing

Real-Time Security Monitoring

Totara provides security monitoring capabilities:

• Real-time Monitoring: Real-time monitoring
• Dashboard: Security dashboard
• Metrics: Security and activity metrics
• Trend Analysis: Security trend analysis

Capabilities Management

Comprehensive permission system that controls what users can do.

• System-level capabilities
• Course-level capabilities
• Activity-level capabilities

Roles and Permissions

Flexible role system that allows customizing permissions per organization needs.

• Default roles: Administrator, Teacher, Student
• Ability to create custom roles
• Customize permissions per role

Email Change Confirmation

Requires confirmation when changing email address.

• Enabled by default
• Protects against unauthorized email changes

Uploaded File Protection

File size limits for uploads:

• Maximum File Size: Customizable (default: server maximum)
• Maximum Extracted Size: Size of extracted archive
• User Quota: 100 MB by default

Profile Protection

• Force Login for Profiles: Prevents unauthorized access
• Force Login for Profile Images: Enabled by default in Totara
• Profiles for Enrolled Users Only: Limits access

Data Cleaning

Data cleaning system removes harmful content from inputs.

• Automatic content cleaning
• Option to disable consistent cleaning (developers only)

Maximum Editing Time

Specifies the time period during which content can be edited after saving.

• Default: 30 minutes
• Options: 1, 5, 15, 30, 45, 60 minutes

GDPR (General Data Protection Regulation) Critical

Totara provides comprehensive features for GDPR compliance:

• Right to Access: Users can access their personal data
• Right to be Forgotten: Ability to delete user data
• User Consent: Comprehensive consent system
• Data Protection: Encryption and protection of personal data
• Processing Records: Track how data is processed
• Breach Notifications: Notifications when data breaches occur
• Privacy by Design: Privacy built into design

ISO/IEC 27001 Important

Totara can be configured for ISO 27001 compliance:

• Information Security Management System (ISMS): Comprehensive framework
• Risk Assessment: Tools for security risk assessment
• Access Control: Comprehensive access control system
• Incident Management: Security incident management system
• Monitoring and Review: Security logs and reviews
• Business Continuity: Business continuity plans

FERPA (Family Educational Rights and Privacy Act)

Totara is suitable for educational institutions in the United States:

• Educational Records Protection: Comprehensive records protection
• Access Control: Limited access to educational data
• Consent: Consent system for data access
• Records: Track access to educational data

HIPAA (Health Insurance Portability and Accountability Act)

Totara can be configured for HIPAA compliance:

• Protected Health Information (PHI) Protection: Health data protection
• Encryption: Health data encryption
• Access Control: Limited access to health data
• Security Logs: Comprehensive access logs
• Business Associate Agreements (BAA): Support for agreements

Note: Requires additional settings and special configuration.

PCI DSS (Payment Card Industry Data Security Standard)

For institutions handling payment cards:

• Data Encryption: Card data encryption
• Access Control: Limited data access
• Monitoring: Data access monitoring
• Security Testing: Regular security testing

SOC 2 (Service Organization Control 2)

Totara supports SOC 2 requirements:

• Security: Comprehensive security controls
• Availability: System availability assurance
• Processing Integrity: Processing integrity assurance
• Confidentiality: Confidential information protection
• Privacy: Privacy protection

Essential Security Settings Critical

1. Always Use HTTPS: Enable SSL/TLS for all connections
2. Enable HSTS: Strict Transport Security
3. Strengthen Password Policy: Use minimum 12 characters with complexity
4. Enable Account Lockout: Enable account lockout mechanism after failed attempts
5. Use IP Allow List: For admin panel access
6. Enable Secure Cookies: Secure cookies
7. Prevent Frame Embedding: Clickjacking protection

CURL Security Settings Important

1. Ensure Blocked Hosts List is Enabled: Very important for SSRF protection
2. Restrict Allowed Ports: Reduce open ports
3. Review List Regularly: Ensure the list is up to date
4. Don't Disable Default Protection: Default protection is essential

Common Attack Protection

1. XSS Protection: Ensure HTTP Only Cookies are enabled
2. CSRF Protection: Session Keys are enabled by default
3. SQL Injection: Prepared Statements are used automatically
4. File Upload Security: Restrict file types and sizes
5. Brute Force Protection: Enable account lockout

Security Monitoring Important

1. Review Security Reports Regularly: Site administration → Reports → Security overview
2. Monitor Failed Login Attempts: Enable notifications
3. Maintain Security Logs: Review logs regularly
4. Update System: Install security updates immediately
5. Monitor Suspicious Activity: Watch for unusual patterns
6. Review Permissions Regularly: Ensure principle of least privilege

Password Management

1. Use Strong Policy: 12+ characters with complexity
2. Enable Password Reuse: Prevent password reuse
3. Use Multi-Factor Authentication: If available
4. Educate Users: Awareness about strong passwords

Backup and Security

1. Regular Backups: Daily backups at minimum
2. Encrypt Backups: Encrypt backup files
3. Test Restores: Test backup restoration regularly
4. Secure Storage: Store backups in secure location

Updates and Maintenance

1. Immediate Security Updates: Install security updates immediately
2. Regular Updates: Establish update schedule
3. Test Updates: Test in staging environment first
4. Monitor Announcements: Monitor security announcements from Totara

Training and Awareness

1. User Training: Educate users on best practices
2. Security Awareness: Security awareness programs
3. Security Policies: Document security policies
4. Regular Reviews: Review policies regularly