HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityDoc feedbackLog In
GitHubNuGetDev CommunityDoc feedback

Security checklist

Describes common security issues for websites.

(Thanks to Daniel Ovaska at Mogul for providing the foundation for this checklist.)


Optimizely Content Management System (CMS) provides a flexible and granular user/role-based authorization security model, which reflects best practice approaches widely employed by enterprise-level platforms. Individual access can be controlled through Optimizely's standard authentication and authorization mechanisms.

User and role permissions can be enforced to any section of the website, and also to all levels of content, including products, pages, and content blocks. It is also possible to secure standard CMS navigation and UI elements based on user/group permissions.

Using the CMS user interface, administrators can create users, groups, and roles to grant permissions to content items, pages, types of pages, blocks, media, properties, files, folders, and language variations.

Access to editing is administered by CMS admin users who can then define what groups are given access to editing. In addition to this, permissions can be associated with properties to ensure that only the allowed tabs and properties can be filled in by authors during the editing experience.

Optimizely enables templates to be shared across sites including styles and branding if desired. Once created templates can be applied with permissions to only be visible to certain users/groups of the CMS. See Security.


Consider the suggestions below to make your site as secure as possible.

High priority

  • Use HTTPS
    Without HTTPS you are wide open for a whole bunch of man-in-the-middle (MITM) attacks. Do not release a site without it. Use it on the entire site and not only on the logged-in part. See Enforce HTTPS in ASP.NET Core.
  • Secure cookies
    For an HTTPS site, your application cookies should be marked as secure. To ensure that the application cookie is always secure in production you can configure like:
services.ConfigureApplicationCookie(c => c.Cookie.SecurePolicy = _webHostingEnvironment.IsDevelopment()
            ? Microsoft.AspNetCore.Http.CookieSecurePolicy.SameAsRequest
            : Microsoft.AspNetCore.Http.CookieSecurePolicy.Always);

You can use CookiePolicyMiddleware and configure CookiePolicyOptions to specify policies that should apply to all cookies for the application.

  • Make sure application is configured with environment set to production
    To do so make sure environment variable ASPNETCORE_ENVIRONMENT or DOTNET_ENVIRONMENT is set to Production.
  • Avoid click-jacking attacks
    Add a response header for X-Frame-Options. This could be done for example from a middleware component or from a global action filter.
  • Restrict editors
    Give them the least access rights needed and avoid creating shared accounts. If something goes wrong, you want to know who did what. Use WebEditors to give access to edit mode only and a separate role to give access to the part of the content tree "Editors_Sweden, Editors_Norway" or similar.
  • Remove test users
    Especially all admin accounts used during development need to be deleted before launch.
  • Use a service account for scheduled jobs and similar
    It happens that the developer uses his own account instead of creating a separate service account to run scheduled jobs, use a specific service account for tasks like these instead.
  • Check that your search result page (SRP) never displays secured content
    Make sure that excerpts of secured content are not displayed to anonymous users on the search result page.
  • Check that pages in waste basket is not shown / crashes site
    If you list content in any way by using GetChildren / FindPagesByCriteria in the background, make sure you filter your list for access rights before displaying them. EPiServer controls do this out-of-the-box but if you use custom code to render your lists/menus you will have to solve this problem to avoid any issue. Test by sending some content to wastebasket and check that they are handled correctly. They should not be visible in menus or in search results for instance.
  • Validate user input
    Validate all forms of user input against an allow list (with valid characters) on the server side. You can, for example, use a regular expression to check that the string that comes from the users only contain normal characters. If you are using user profile pages, double-check that these are validating input correctly since they may targeted. If you need country-specific allow lists, store the regular expression as a setting on a multi site.

A few examples of functions that clean up the user input by regex:

public static string ToOnlyAlphaNumericInput(this string input)
            if (input == null)
                return null;
            return Regex.Replace(input, @"[^\w]", string.Empty);
        public static string ToOnlyNormalTextInput(this string input)
            if (input == null)
                return null;
            return Regex.Replace(input, @"[^\w\.@!? ,/:+()'´-]", string.Empty);
  • Validate querystring parameters
    Similar to the one above; however, easier to forget but no less important.
  • HTML encode all output
    This is especially important for all data that come from other systems/user input to avoid JavaScript cross-site scripting (XSS) attacks.
    If you are using MVC, use the standard Model. syntax and stay away from Html.Raw as much as possible.
  • Lock down webapi and custom endpoints
    Optimizely is handling security for content out-of-the-box, but you should check your solution for other access points such as web API, and custom endpoints, and secure them or validate all input.
  • Lock down addons
    Check if you have admin/editor addons and similar, and secure them. This can normally be done easily by adding attribute authorizationPolicy to the modules module.config.
  • Filter your lists for access rights
    If you list content in any way by using GetChildren/FindPagesByCriteria in the background, make sure you filter your list for access rights before displaying them. The Optimizely controls do this out-of-the-box but if you use custom code to render your lists or menus, you have to solve this problem to avoid showing restricted content.
  • Move your log files
    Having your log files in the web root is not a good idea from a security point of view. Ideally, they should be on a separate hard drive (because too large log files may crash the website).
  • File access rights
    Double-check that your file access rights are correct and that no one has added full access rights for everyone when troubleshooting. Check this URL if you are unsure: Understanding Built-In User and Group Accounts in IIS 7.
  • Secure your service layer
    For websites that are more application oriented, it is wise to secure your service layer so that some functions are only available to certain roles, for example, delete user can only be run by someone logged in as administrator. It is easy to simply hide the button for this in the presentation layer but a more secure way is to add it above your service layer. One way of implementing this is using custom attributes and AOP.
  • Secure your data layer
    Make sure you use an Object/Relational Mapping (ORM) framework like Entity Framework (EF) that does not allow SQL injections and that you never string concatenate an SQL statement together. If you run SQL stored procedures, it might be worth checking those for string concatenation as well.
    • Double-check your caching strategy
      Make sure you never cache non-public content. For example, if you cache a menu (filtered on access rights) and you then navigate the site with an admin user followed by an anonymous user, you may display menu items to the anonymous user that only admins should see. Normally, you do not need to cache Optimizely content lists if you just use GetChildren; Optimizely does that for you.
  • Secure your custom file providers
    In case you use custom file providers, do you check access rights on all folders that you want?
  • Secure your scheduled jobs
    If you find that your scheduled jobs do not work on your production site, it may be because scheduled jobs run as your current user when you press Start manually in admin view, but as anonymous user when you run them automatically. If the anonymous access rights are not enough, you have to log in programmatically to execute the job as a specific user.
    See Magnus Rahl's blog post Run a scheduled job as a specific role.
    Just make sure you know what you are doing if you run the job as admin. You might end up sending out restricted information if you are not careful.
  • Performance
    Although performance is a separate issue, bad performance can also be used to kill a website. Check your logs to find all slow pages, and optimize them and add load balancing if needed. Remember that this performance issue applies to all components in your solution including the SQL server, DNS, SSO etc.
  • Email is not a secure channel
    Never send passwords and similar on email. Send a temporary link instead.
  • Prevent cross-site forgery
    ASP.NET Core applications uses anti-forgery by default for most usages. You might need to handle it your self in some limited use cases. For more information, see: Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core.
  • Require strong passwords
    Long passwords beat complex passwords. A minimum of 9 characters is recommended. Preferably more if your users do not start screaming too loud.
  • Check your SSL certificate
    Old versions of protocols and algorithms are vulnerable to attacks. Use for instance: SSL Server Test and Symantec CryptoReport to check if you are using the latest versions without known security holes.

What’s Next