FusionAuth · sixhobbits · Sep 18, 2024 · Sep 18, 2024 · Nov 1, 2024 · Feb 11, 2025
@@ -56,7 +56,7 @@ Imagine a security system that not only asks for your credentials but also reads
 
 What's truly fascinating about adaptive MFA is its dynamic nature. It's not just about adding layers of security; it's about adding the right layers, at the right time. This approach minimizes friction for users, making security feel less like a series of hoops to jump through and more like a smart, responsive ally. It's a dance between convenience and caution, where security measures are tailored in real-time, based on the perceived level of risk. This not only enhances the user experience but also fortifies defenses, ensuring that the keys to the kingdom aren't handed over too easily, nor kept under lock and key unnecessarily.
 
-You can also use the same principles for initial authentication (for instance, requiring a CAPTCHA if a user logs in from a new device). Read more about adaptive approaches in our [Advanced Threat Detection](/docs/operate/secure-and-monitor/advanced-threat-detection) features. 
+You can also use the same principles for initial authentication (for instance, requiring a CAPTCHA if a user logs in from a new device). Read more about adaptive approaches in our [Advanced Threat Detection](/docs/operate/secure/advanced-threat-detection) features. 
 
 ## Why Use Multi-factor Authentication (MFA)?
 

@@ -23,7 +23,7 @@ All in all there are 21 issues, enhancements, and bug fixes included in the 1.47
 
 There were a number of performance improvements in these releases, as the team focused on making FusionAuth even faster and more scalable. 
 
-Some improvements are only applicable for Enterprise clients. This included lowering the memory overhead when downloading and storing the IP location database. This IP data is used by [Advanced Threat Detection](/docs/operate/secure-and-monitor/advanced-threat-detection).
+Some improvements are only applicable for Enterprise clients. This included lowering the memory overhead when downloading and storing the IP location database. This IP data is used by [Advanced Threat Detection](/docs/operate/secure/advanced-threat-detection).
 
 Other improvements apply to all FusionAuth users. These include:
 

@@ -55,7 +55,7 @@ If they match, you can be certain the payload is unchanged.
 But it's not just webhook signing. There were other webhook related improvements too, including:
 
 * Webhook test messages now include more information if the webhook does not succeed.
-* You can use [key master](/docs/operate/secure-and-monitor/key-master) to manage webhook certificates. This is the recommended solution going forward.
+* You can use [key master](/docs/operate/secure/key-master) to manage webhook certificates. This is the recommended solution going forward.
 * A bug was fixed. Previously tenant specific webhooks were removed when `PATCH`-ing a tenant, and now they are not.
 * Test messages sent using the admin UI now preserve the body payload, making it easier to develop webhooks.
 

@@ -58,7 +58,7 @@ A client library, in contrast, is a wrapper over [FusionAuth APIs](/docs/apis/).
 
 If you want to compare a client library to a child's toy, it is like legos. Engineers build a script or program using a client library to extend or configure FusionAuth. Some examples of tasks well suited to a client library:
 
-* [rotating client secrets or API keys](/docs/operate/secure-and-monitor/key-rotation) to improve your security posture
+* [rotating client secrets or API keys](/docs/operate/secure/key-rotation) to improve your security posture
 * pulling user data every night for data warehouse ingestion
 * creating a new FusionAuth tenant every time a client signs up for your app
 * offering a unique, custom login or registration experience not supported by the [FusionAuth hosted login pages](/docs/get-started/core-concepts/integration-points#hosted-login-pages)

@@ -35,7 +35,7 @@ To learn more about the CVE, you can:
 
 ## What about Elasticsearch
 
-Elasticsearch is used by many FusionAuth installations. However, in general the Elasticsearch service is not publicly accessible, if [following the recommended security guidance](/docs/operate/secure-and-monitor/securing).
+Elasticsearch is used by many FusionAuth installations. However, in general the Elasticsearch service is not publicly accessible, if [following the recommended security guidance](/docs/operate/secure/securing).
 
 <Aside type="note" nodark="true">
 You should never allow internet connections to Elasticsearch.

@@ -14,6 +14,6 @@ The client code then sends requests to the server side component, and the server
 This is the **recommended option**.
 * Create an API key with extremely limited permissions and distribute it.
 Since stealing the key when used on the client side is trivial--all an attacker has to do is 'view source'--make sure you have carefully considered the risk and result of someone stealing and using the key outside of your application.
-You can also monitor FusionAuth usage with webhooks, use [IP ACLs](/docs/operate/secure-and-monitor/advanced-threat-detection/#ip-access-control-lists) to limit where the API key can be used from, or place an [HTTP proxy](/docs/operate/deploy/proxy-setup) in front of FusionAuth to further limit access.
-Plan to [rotate the key regularly](/docs/operate/secure-and-monitor/key-rotation) to limit the impact.
+You can also monitor FusionAuth usage with webhooks, use [IP ACLs](/docs/operate/secure/advanced-threat-detection/#ip-access-control-lists) to limit where the API key can be used from, or place an [HTTP proxy](/docs/operate/deploy/proxy-setup) in front of FusionAuth to further limit access.
+Plan to [rotate the key regularly](/docs/operate/secure/key-rotation) to limit the impact.
 
@@ -1,6 +1,6 @@
 Only the name of the Key may be changed; all other fields will remain the same. If you need to update a Key with a new certificate, algorithm or other attributes, please [Import a Key](/docs/apis/keys#import-a-key).
 
-For example, if you have a Key with an associated expiring certificate, you'll need to follow the steps similar to those outlined in the [JWT signing key rotation documentation](/docs/operate/secure-and-monitor/key-rotation#jwt-signing-key-rotation):
+For example, if you have a Key with an associated expiring certificate, you'll need to follow the steps similar to those outlined in the [JWT signing key rotation documentation](/docs/operate/secure/key-rotation#jwt-signing-key-rotation):
 
 * Import this key, keypair or certificate into FusionAuth. This will create a new Key entity in FusionAuth.
 * Update the appropriate configuration with this new Key (JWT signing configuration, SAML validation configuration, etc).

@@ -52,7 +52,7 @@ import JSON from 'src/components/JSON.astro';
     <ReactorStatusValues />
   </APIField>
   <APIField name="status.breachedPasswordDetection" type="String">
-    The status for [Breached Password Detection](/docs/operate/secure-and-monitor/breached-password-detection). The possible following values:
+    The status for [Breached Password Detection](/docs/operate/secure/breached-password-detection). The possible following values:
 
     * `ACTIVE` - the feature is active
     * `DISCONNECTED` - the feature is currently disconnected

@@ -95,7 +95,7 @@ _Response Codes_
 |------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | 200  | There was an error. The route will serve up an error page with HTML and details on what went wrong.                                                                                                                                                    |
 | 302  | A successful request will redirect the user to `/oauth2/authorize` to log in.                                                                                                                                                                          |
-| 403  | A forbidden response typically means that the Origin of this request did not pass the FusionAuth CORS filter. Add your app origin to your [CORS Configuration](/docs/operate/secure-and-monitor/cors) as an <InlineField>Allowed Origin</InlineField>. |
+| 403  | A forbidden response typically means that the Origin of this request did not pass the FusionAuth CORS filter. Add your app origin to your [CORS Configuration](/docs/operate/secure/cors) as an <InlineField>Allowed Origin</InlineField>. |
 | 500  | There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.                                                                                                                                               |
 
 ## Register
@@ -147,7 +147,7 @@ _Response Codes_
 |------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | 200  | There was an error. The route will serve up an error page with HTML and details on what went wrong.                                                                                                                                                    |
 | 302  | A successful request will redirect the user to `/oauth2/register` to register.                                                                                                                                                                         |
-| 403  | A forbidden response typically means that the Origin of this request did not pass the FusionAuth CORS filter. Add your app origin to your [CORS Configuration](/docs/operate/secure-and-monitor/cors) as an <InlineField>Allowed Origin</InlineField>. |
+| 403  | A forbidden response typically means that the Origin of this request did not pass the FusionAuth CORS filter. Add your app origin to your [CORS Configuration](/docs/operate/secure/cors) as an <InlineField>Allowed Origin</InlineField>. |
 | 500  | There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.                                                                                                                                               |
 
 ## Callback