Inside your project, navigate to Admin > Site Settings > Security.
Here administrators can configure security related features to control access, protect user accounts, and safeguard data.
Password Policy
This setting enforces a certain required password complexity the project demands to improve account security (not used for existing passwords or passwords automatically generated by TestRail). Click the dropdown and select between password complexity options that have the following criteria:
- From 8 to 12 characters long
- Contain both uppercase and lowercase letters
- Include numbers or special characters
Disable Forgot Password Functionality
This setting disables the ability to reset the password using the “Forgot Password” email feature. This is useful for systems using external authentication providers, and also when an organization wants to limit the possibility of email-based password resets for added security.
Disable Invite User Functionality
Enabling this lets TestRail not send invite emails when a user is added through the Invite User feature. So, this email lets users set their password when user accounts are managed manually or through a central identity provider.
Also, this can be done manually when organizations want to handle initial communication and onboarding themselves.
Enable Multi-Factor Authentication (MFA)
This option lets TestRail users set up MFA using an authenticator app for an additional layer of login security in any new session.
When enabled:
- Users can configure MFA in their account settings.
MFA is not enforced globally inside a project unless an admin sets it individually per user account. - It does not apply to SSO logins, as those rely on external identity providers.
Allow Access to TestRail from the Following IPs Only
You can restrict TestRail access by allowing only specific IP addresses or networks. A type of allow-list or “whitelist” is implemented this way, adding another layer of cybersecurity. Each IP or network must be entered on a separate line:
- Simple IP: 192.168.1.1
- Or entire networks: 192.168.1.0/24
With this access control, you can prevent unauthorized access from unknown or public networks.
By clicking Add my IP address, it automatically adds the administrator’s current IP being used for convenience.
CSP – Allow Access TestRail to Remote Addresses
CSP is a security mechanism that allows and limits the remote addresses TestRail can communicate with, to protect from certain types of attacks.
Admins can specify approved remote URLs (one per line) that TestRail is permitted to connect to, for example: https://api.example.com/get/
You can use this option whenever you are integrating TestRail with external systems, and ensuring TestRail only sends data to approved, secure destinations.
After you finish editing your security settings, click Save settings at the bottom.