Is it possible to change externally visible paths like /ttype/push and /validate/check using an env variable or some other way without rewriting that part of the code?
//type/push path is passed to the app during enrollment so the app will get the updated path instead of //ttype/push.
So you want to do security by obscurity?
Take a look at Apache rewrite rules.
Yes, beside all the regular security hardening. Thanks, so rewrite rules. OK.
I only started using privacyIDEA and am getting familiar with the set up. Is there a security guide for privacyIDEA itself, not for generic OS hardening (that’s covered already)? Since only a portion of it is exposed externally (I’ve set up Apache to ban access to any other paths already), now trying to reduce exposure more. Mod_security experience?
No, there are too many possibilities for configuration. Also there are too many different people with opinions what is sensible.
However, there are some information about cryptography and brute force in the FAQs.