HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideLegal TermsGitHubNuGetDev CommunitySubmit a ticketLog In


Describes security in Optimizely Content Management System (CMS).

Optimizely meets high standards regarding security features within a wide range of scenarios. Optimizely Content Management System (CMS) bases login security on the authentication and authorization system. It uses Introduction to Identity on ASP.NET Core, which provides an overview of security management in Optimizely.

Security management in CMS

The CMS platform handles the following common security concerns.

  • Authentication and authorization. CMS bases the authentication on the ASP.NET Core built-in framework for the user and role. CMS uses a standard API that makes creating a provider for any type of user database and third-party providers easy.



Where and how user credentials are stored, depends on the authentication provider used. The separation of authentication and authorization increases flexibility. Making a call to a provider lets you delegate security operations to a separate machine, thereby increasing scalability. CMS also supports single sign-on and federated claims-based authentication.

  • Injection projection – CMS code uses parameterized APIs to prevent injection attacks from untrusted input. No code paths in CMS use untrusted data in XML-related calls.
  • Cross-site scripting (XSS) – In CMS, user input is filtered and validated to prevent XSS issues. Depending on the actual piece of information, CMS applies HTML encoding to the outgoing data stream to protect against XSS attacks. The editorial and administrative interfaces are areas where you can post HTML and scripts and use them as-is on a web page. CMS relies on its authorization features to ensure only trusted users can provide content.
  • Broken authentication and session management – CMS bases its authentication and authorization system on the ASP.NET Core built-in framework for the user or role. CMS does not rely on session data, which increases security and improves scalability and performance because a browser session does not need server affinity from a security perspective.
  • Insecure direct object references – In CMS, the references go through at least one layer of indirection with appropriate access controls in place.
  • Cross-site request forgery (CSRF) – CMS has a CSRF prevention mechanism that automatically detects forged requests for system pages. It also enables the event validation mechanism in ASP.NET for these pages. For the site pages, CMS supports and provides optional anti-forgery and event validation.
  • Security misconfiguration – CMS designs configurations with secure by default in mind. Strong security requires having a secure configuration defined and deployed for the application, frameworks, application server, Web server, database server, and platform. These settings should be defined, implemented, and maintained because many are not shipped with secure enough defaults.
  • Insecure cryptographic storage – CMS uses verified, strong algorithms. Only a small part of the CMS configuration information may contain sensitive information, such as the ConnectionStrings section. You can encrypt this information using the built-in .NET framework features. Optimizely stores other system assets in an SQL database with full support of the database's native encryption mechanisms.
  • Failure to restrict URL access – Sensitive areas of CMS, such as the edit and admin user interfaces, are protected by default with the standard configuration. Information presented on public-facing web pagesΒ is subject to authorization based on the displayed content. CMS never relies on security through a secret URL.
  • Transport layer protection – CMS transmits the user credentials (username and password). CMS fully supports SSL (HTTPS protocol) and urges you to use SSL.
  • Unvalidated redirects and forwards – There is an absolute minimum of redirects in CMS because they are undesirable for security and performance. CMS bases existing redirects on internal data or sanitized information.
  • Virus protection – CMS relies on third-party products for virus protection. CMS never executes files uploaded to the asset manager, preventing potential viruses inside files from spreading to CMS.

ADFS/SSO and OWIN support

The CMS platform supports ADFS/SSO and the OWIN standard interface between .NET web servers and applications. The following topics provide information.