- Increase the security of your Optimizely account
- Minimize the vulnerability of your experiments, campaigns, and customer data
At Optimizely, we take the security of your data very seriously -- and we know you do too. Below, we provide best practices that will help you secure and protect your account from malicious attack.
Use this list to safeguard against possible attempts to compromise your account, site, and customer data, including: attempts to hijack your site to post inappropriate content or to inject malicious scripting to steal confidential data.
We also think it's important to be clear and transparent about how Optimizely handles security. Learn more about how we protect your data here.
2-Step verification increases the security of your Optimizely account by adding a second level of authentication at sign-in. Instead of relying on a password, 2-Step Verification also requires you to enter a code that's sent to your mobile phone. With 2-Step Verification enabled, you'll know that your account has a second layer of protection even if your password is compromised.
Require 2-step verification for all users
We recommend that you require 2-step verification for all collaborators whose accounts you administer. Navigate to Account Settings > Security and Privacy and check Require 2-Step Verification.
Give collaborators the least privilege necessary
Assign each collaborator a role that provides the least amount of privileges necessary to contribute to the project.
Here's how to manage collaborators in Optimizely X Web.
A few tips:
Most tasks in Optimizely can be accomplished by the Editor role.
Administrator and Project Owner roles can exercise full control over a project, including creating, editing, and starting experiments. These roles are powerful, and present a greater security risk. We recommend that all users who have Administrator or Project Owner privileges enable 2-Step Verification.
The Viewer role is suitable for collaborators who review experiments and results, but don't need to edit.
Set passwords to expire after 90 days
For added security, require collaborators on your account to reset their passwords every 90 days. Navigate to Account Settings > Security and Privacy and select Expire after 90 days.
Enable Single Sign-On (SSO)
Optimizely lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Optimizely using their existing corporate credentials and eliminates the security risks associated with using a password.
Enabling HTTPS provides critical security and data integrity both for your website and visitors who trust your website with their personal information. TLS is fast now, and can even be faster than HTTP.
Here's how to enable HTTPS:
Navigate to the snippet in Optimizely X.
https:to the snippet, like this:
Enable automatic timeout
In Optimizely X, enabling an automatic logout after 15 minutes of inactivity will help you keep your account secure and PCI compliant. If there is no mouse or keyboard activity for 15 minutes, accounts that you're an administrator for will time out and you'll lose unsaved changes.
Navigate to Account Settings > Security and Privacy and check Automatically log out after 15 minutes of inactivity.