Skip to main content
menu_icon.png

Everything you need to switch from Optimizely Classic to X in one place: See the Optimizely X Web Transition Guide.

x
Optimizely Knowledge Base

Secure your Optimizely account

relevant products:
  • Optimizely X Web Experimentation
  • Optimizely X Web Personalization
  • Optimizely X Web Recommendations
  • Optimizely Classic

THIS ARTICLE WILL HELP YOU:
  • Increase the security of your Optimizely account 
  • Minimize the vulnerability of your experiments, campaigns, and customer data

At Optimizely, we take the security of your data very seriously -- and we know you do too. Below, we provide best practices that will help you secure and protect your account from malicious attack.

Use this list to safeguard against possible attempts to compromise your account, site, and customer data, including: attempts to hijack your site to post inappropriate content or to inject malicious scripting to steal confidential data.

We also think it's important to be clear and transparent about how Optimizely handles security. Learn more about how we protect your data here.

2-Step Verification 

2-Step Verification increases the security of your Optimizely account by adding a second level of authentication at sign-in. Instead of relying on a password, 2-Step Verification also requires you to enter a code that's sent to your mobile phone. With 2-Step Verification enabled, you'll know that your account has a second layer of protection even if your password is compromised.

Require 2-Step Verification for all users

We recommend that you require 2-step verification for all collaborators on your account. Navigate to the Account Settings page and and check Require 2-step verification.


All accounts can enable 2-Step Verification, but the Require 2-step verification feature is only available on select Optimizely plans. If you’re interested in gaining access to this feature, please contact your Customer Success Manager or sales@optimizely.com.

Give collaborators the least privilege necessary

Assign each collaborator a role that provides the least amount of privileges necessary to contribute to the project.

Here's how to manage collaborators in Optimizely X Web and Optimizely Classic.

A few tips: 

  • Most tasks in Optimizely can be accomplished by the Editor role.

  • Administrator and Project Owner roles can exercise full control over a project, including creating, editing, and starting experiments. These roles are powerful, and present a greater security risk. We recommend that all users who have Administrator or Project Owner privileges enable 2-Step Verification.

  • The Viewer role is suitable for collaborators who review experiments and results, but don't need to edit.

Set passwords to expire after 90 days

For added security, require collaborators on your account to reset their passwords every 90 days. Navigate to the Account Settings page and and check Expire after 90 days.

Enable Single Sign-On (SSO)

Optimizely lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Optimizely using their existing corporate credentials and eliminates the security risks associated with using a password.

SSO is available only on select Optimizely plans. If you’re interested in gaining access to this feature, please contact your Customer Success Manager or sales@optimizely.com.

Enable HTTPS

Enabling HTTPS provides critical security and data integrity both for your website and visitors who trust your website with their personal information. TLS is fast now, and can even be faster than HTTP.

Here's how to enable HTTPS:

  1. Navigate to the snippet in Optimizely X or Optimizely Classic.

  2. Add https: to the snippet, like this:

    Original snippet:
    <script src="//cdn.optimizely.com/js/2418851857.js"></script>

Modified snppet: 
<script src="https://cdn.optimizely.com/js/2418851857.js"></script>

Enable automatic timeout

In Optimizely X, enabling an automatic logout after 15 minutes of inactivity will help you keep your account secure and PCI compliant. If there is no mouse or keyboard activity for 15 minutes, accounts that you're an administrator for will time out and you'll lose unsaved changes.

  1. Navigate to Account Settings > Account Overview.

  2. Click to enable Automatically log out after 15 minutes of inactivity.

  3. Click Save.