Security checklist
Describes common security issues for websites.
(Thanks to Daniel Ovaska at Mogul for providing the foundation for this checklist.)
Background
Optimizely Content Management System (CMS) provides a flexible and granular user/role-based authorization security model, which reflects best practice approaches widely employed by enterprise-level platforms. Individual access can be controlled through Optimizely's standard authentication and authorization mechanisms.
User and role permissions can be enforced to any section of the website, and also to all levels of content, including products, pages, and content blocks. It is also possible to secure standard CMS navigation and UI elements based on user/group permissions.
Using the CMS user interface, administrators can create users, groups, and roles to grant permissions to content items, pages, types of pages, blocks, media, properties, files, folders, and language variations.
Access to editing is administered by CMS admin users who can then define what groups are given access to editing. In addition to this, permissions can be associated with properties to ensure that only the allowed tabs and properties can be filled in by authors during the editing experience.
Optimizely enables templates to be shared across sites including styles and branding if desired. Once created templates can be applied with permissions to only be visible to certain users/groups of the CMS. See Security.
Checklist
Consider the suggestions below to make your site as secure as possible.
High priority
- Use HTTPS
Without HTTPS you are wide open for a whole bunch of man-in-the-middle (MITM) attacks. Do not release a site without it. Use it on the entire site and not only on the logged-in part. See Enforce HTTPS in ASP.NET Core. - Secure cookies
For an HTTPS site, your application cookies should be marked as secure. To ensure that the application cookie is always secure in production you can configure like:
services.ConfigureApplicationCookie(c => c.Cookie.SecurePolicy = _webHostingEnvironment.IsDevelopment()
? Microsoft.AspNetCore.Http.CookieSecurePolicy.SameAsRequest
: Microsoft.AspNetCore.Http.CookieSecurePolicy.Always);
You can use CookiePolicyMiddleware
and configure CookiePolicyOptions
to specify policies that should apply to all cookies for the application.
- Make sure application is configured with environment set to production
To do so make sure environment variableASPNETCORE_ENVIRONMENT
orDOTNET_ENVIRONMENT
is set to Production. - Avoid click-jacking attacks
Add a response header for X-Frame-Options. This could be done for example from a middleware component or from a global action filter. - Restrict editors
Give them the least access rights needed and avoid creating shared accounts. If something goes wrong, you want to know who did what. Use WebEditors to give access to edit mode only and a separate role to give access to the part of the content tree "Editors_Sweden, Editors_Norway" or similar. - Remove test users
Especially all admin accounts used during development need to be deleted before launch. - Use a service account for scheduled jobs and similar
It happens that the developer uses his own account instead of creating a separate service account to run scheduled jobs, use a specific service account for tasks like these instead. - Check that your search result page (SRP) never displays secured content
Make sure that excerpts of secured content are not displayed to anonymous users on the search result page. - Check that pages in waste basket is not shown / crashes site
If you list content in any way by usingGetChildren
/FindPagesByCriteria
in the background, make sure you filter your list for access rights before displaying them. EPiServer controls do this out-of-the-box but if you use custom code to render your lists/menus you will have to solve this problem to avoid any issue. Test by sending some content to wastebasket and check that they are handled correctly. They should not be visible in menus or in search results for instance. - Validate user input
Validate all forms of user input against an allow list (with valid characters) on the server side. You can, for example, use a regular expression to check that the string that comes from the users only contain normal characters. If you are using user profile pages, double-check that these are validating input correctly since they may targeted. If you need country-specific allow lists, store the regular expression as a setting on a multi site.
A few examples of functions that clean up the user input by regex:
public static string ToOnlyAlphaNumericInput(this string input)
{
if (input == null)
{
return null;
}
return Regex.Replace(input, @"[^\w]", string.Empty);
}
public static string ToOnlyNormalTextInput(this string input)
{
if (input == null)
{
return null;
}
return Regex.Replace(input, @"[^\w\.@!? ,/:+()'´-]", string.Empty);
}
- Validate querystring parameters
Similar to the one above; however, easier to forget but no less important. - HTML encode all output
This is especially important for all data that come from other systems/user input to avoid JavaScript cross-site scripting (XSS) attacks.
If you are using MVC, use the standard Model. syntax and stay away from Html.Raw as much as possible. - Lock down webapi and custom endpoints
Optimizely is handling security for content out-of-the-box, but you should check your solution for other access points such as web API, and custom endpoints, and secure them or validate all input. - Lock down addons
Check if you have admin/editor addons and similar, and secure them. This can normally be done easily by adding attribute authorizationPolicy to the modules module.config. - Filter your lists for access rights
If you list content in any way by usingGetChildren
/FindPagesByCriteria
in the background, make sure you filter your list for access rights before displaying them. The Optimizely controls do this out-of-the-box but if you use custom code to render your lists or menus, you have to solve this problem to avoid showing restricted content. - Move your log files
Having your log files in the web root is not a good idea from a security point of view. Ideally, they should be on a separate hard drive (because too large log files may crash the website). - File access rights
Double-check that your file access rights are correct and that no one has added full access rights for everyone when troubleshooting. Check this URL if you are unsure: Understanding Built-In User and Group Accounts in IIS 7. - Secure your service layer
For websites that are more application oriented, it is wise to secure your service layer so that some functions are only available to certain roles, for example, delete user can only be run by someone logged in as administrator. It is easy to simply hide the button for this in the presentation layer but a more secure way is to add it above your service layer. One way of implementing this is using custom attributes and AOP. - Secure your data layer
Make sure you use an Object/Relational Mapping (ORM) framework like Entity Framework (EF) that does not allow SQL injections and that you never string concatenate an SQL statement together. If you run SQL stored procedures, it might be worth checking those for string concatenation as well.- Double-check your caching strategy
Make sure you never cache non-public content. For example, if you cache a menu (filtered on access rights) and you then navigate the site with an admin user followed by an anonymous user, you may display menu items to the anonymous user that only admins should see. Normally, you do not need to cache Optimizely content lists if you just useGetChildren
; Optimizely does that for you.
- Double-check your caching strategy
- Secure your custom file providers
In case you use custom file providers, do you check access rights on all folders that you want? - Secure your scheduled jobs
If you find that your scheduled jobs do not work on your production site, it may be because scheduled jobs run as your current user when you press Start manually in admin view, but as anonymous user when you run them automatically. If the anonymous access rights are not enough, you have to log in programmatically to execute the job as a specific user.
See Magnus Rahl's blog post Run a scheduled job as a specific role.
Just make sure you know what you are doing if you run the job as admin. You might end up sending out restricted information if you are not careful. - Performance
Although performance is a separate issue, bad performance can also be used to kill a website. Check your logs to find all slow pages, and optimize them and add load balancing if needed. Remember that this performance issue applies to all components in your solution including the SQL server, DNS, SSO etc. - Email is not a secure channel
Never send passwords and similar on email. Send a temporary link instead. - Prevent cross-site forgery
ASP.NET Core applications uses anti-forgery by default for most usages. You might need to handle it your self in some limited use cases. For more information, see: Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core. - Require strong passwords
Long passwords beat complex passwords. A minimum of 9 characters is recommended. Preferably more if your users do not start screaming too loud. - Check your SSL certificate
Old versions of protocols and algorithms are vulnerable to attacks. Use for instance: SSL Server Test and Symantec CryptoReport to check if you are using the latest versions without known security holes.
Updated 5 months ago