By default, an active FPGA configuration can be read back or reconfigured through the JTAG port, through the SelectMAP port if Persist is selected, or through the ICAPE3 primitive if it is instantiated in a design. A basic form of security is to prevent access to the configuration logic, such as by not allowing the configuration port to persist and not enabling ICAP connections to external pins. In addition, the bitstream readback security setting (BITSTREAM.READBACK.SECURITY) can be set to Level1 (disables readback), or Level2 (disables both readback and reconfiguration). The only way to remove a readback security setting in a configured FPGA is to clear the FPGA program by asserting PROGRAM_B or cycling power. If the user design is sensitive, bitstream encryption should be considered. Use of encryption automatically prevents readback via hardware gates and not just bitstream settings. It is the strongest method to prevent readback and protect your IP. The bitstream readback security setting does not affect readback for SEU detection. Refer to Vivado Design Suite User Guide: Programming and Debugging (UG908) for details on the readback security options.