To enhance the security of oA, the following two settings should be added to settings.py:
SESSION_COOKIE_PATH = '/openattic/'
SESSION_COOKIE_AGE = '1209600'
Moreover, in webui/app/scripts/module.js, the following should be added to the app.config(($httpProvider) block, to prohibit the oA application to be embeddable in an iFrame:
$httpProvider.defaults.headers.get["X-Frame-Options"] = "DENY";