The best and most important thing to keep in mind when thinking about security is to make sure you have a layered defense. Unfortunately, there aren't any magic tricks that will automatically protect you against every threat out there. If you make use of different layers of defense, even if one layer is defeated there will still be more others to protect you. And always remember, you don't need to outrun the bear, just your friends. Worried about the security of your Umbraco environment and how to keep it safe? I've got your back with a few quick tips!
Tip 1: Use HTTPS
It's 2018 people! There is absolutely no conceivable reason to not run your site under HTTPS. The future is now! Nowadays you can get a certificate for (almost) no cost at all at vendors like Let's Encrypt. Currently, browsers will be showing a notification whenever a site has a form on the page while not running under HTTPS. The next step would be showing a 'Not secure' warning to visitors of your website.
Not convinced yet? Keep in mind Google will give your site a slight advantage when it's running under HTTPS. Furthermore Windows 10 Server will also allow you to serve your website with http/2, providing a significant speed boost for your website! After installing your HTTPS certificate, it's advisable to check if your server has been patched correctly. You can do so at the SSL Labs website.
Tip 2: IP lock your Umbraco
Why is this important? Well, other than you and your clients, no one has any business messing around in there. So why let them have access and allow them to see all information available in your CMS? Go check out https://www.perplex.nl/is-it-umbraco/ to see if our bot can discover if you're using Umbraco and if so, just how much it can find out. It will probably find in no time which Umbraco version you’re using and maybe even which packages you’re using.
Tip 3: Use the right response headers
There are six security headers that will let you increase your websites security relatively easily. Three of them are no-brainers and should be added to each website. These three can be added without any major repercussions:
- X-Content-Type-Options: no-sniff
- X-Frame-Options: sameorigin
- X-XSS-Protection: 1; mode=block
In fact, Umbraco shows these settings in their Health Check dashboards. So, what are you waiting for?
Besides these three, there's several other headers that might be a little harder to implement correctly. But they will also provide more security.
- Strict-Transport-Security: this header specifies that the website will always need to run using HTTPS so don't even bother trying HTTP. If you add the options max-age=31536000;preload:includesubdomains this header will remain valid for a year and includes all subdomains as well.
- Content-Security-Policy: This is one of the more trickier headers to get right. It allows you to set which file types your website will load and from which domains they are allowed to originate. Any data that is not coming from one of the allowed domains or is not from the allowed file types will be blocked by the browser.
- Public-Key-Pins: Another HTTPS related header. This one specifies which certificate needs to be trusted. By providing a finger print of the certificate, the browser can check if any malicious hoodlums are up to shenanigans by falsifying the certificate in an attempt to impersonate your website.
These last three headers are very important. But! Do take care and read up on how these headers work before applying them to a live site. These headers could easily make your website unavailable for visitors if implemented incorrectly. Check out www.securityheaders.io to read more about the different headers that are available and to check which headers are already implemented on your own website.
Tip 4: verify your applications authentication attempts
It is a smart idea to log any authentication attempt that is trying to get access to your Umbraco environment or private data. This way it'll be easier to discover unauthorized users trying to gain entry by:
- Checking if there are is a suspicious amount of (failed) login attempts at any given time
- Checking if there's attempts to log in at odd times
- Checking to see if any attempts were made from suspicious IP addresses
- Seeing which users are making excessive login attempts
- See which users have been locked out due to exceeding the login attempt limits
Umbraco offers a couple of events to log and check this behavior, but will not provide this functionality out of the box. Fortunately, we love sharing our knowledge and expertise in this area so we made a package that will handle the earlier bullet points for you. Just download and install the package and you can easily keep a watchful eye on your CMS's gateway!
Of course, keeping your Umbraco secure entails so much more than just these tips. But, even applying just these simple tricks will make a smashing impression during a security audit. Good luck!