Secure your Umbraco

  • Umbraco

Security is a hot issue currently and with the coming General Data Protection Regulation (GDPR) this topic will only become more and more important. The last couple of years I've been specializing in security and tried to combine this with my love for Umbraco. After dozens of security audits (executed by international organizations on our own Umbraco installations) and my own visions regarding security, I would like to use this blog to pass along some tips and tricks that are easy to apply to your own installations.

The best and most important thing to keep in mind when thinking about security is to make sure you have a layered defense. Unfortunately, there aren't any magic tricks that will automatically protect you against every threat out there. If you make use of different layers of defense, even if one layer is defeated there will still be more others to protect you. And always remember, you don't need to outrun the bear, just your friends. Worried about the security of your Umbraco environment and how to keep it safe? I've got your back with a few quick tips!

Tip 1: Use HTTPS

It's 2018 people! There is absolutely no conceivable reason to not run your site under HTTPS. The future is now! Nowadays you can get a certificate for (almost) no cost at all at vendors like Let's Encrypt. Currently, browsers will be showing a notification whenever a site has a form on the page while not running under HTTPS. The next step would be showing a 'Not secure' warning to visitors of your website.

Not convinced yet? Keep in mind Google will give your site a slight advantage when it's running under HTTPS. Furthermore Windows 10 Server will also allow you to serve your website with http/2, providing a significant speed boost for your website! After installing your HTTPS certificate, it's advisable to check if your server has been patched correctly. You can do so at the SSL Labs website.

Tip 2: IP lock your Umbraco

This is without a doubt my favorite tip, but sadly doesn't see much use out in the wild yet. It's so easy to secure your admin area for Umbraco (or any other CMS) and keep out unauthorized users. Just block any IP address that does not belong to you or your client from accessing your Umbraco folder. It is my advice to IP lock every folder (except the CSS-, media and javascripts folders) of your Umbraco installation.

Why is this important? Well, other than you and your clients, no one has any business messing around in there. So why let them have access and allow them to see all information available in your CMS? Go check out to see if our bot can discover if you're using Umbraco and if so, just how much it can find out. It will probably find in no time which Umbraco version you’re using and maybe even which packages you’re using.

Tip 3: Use the right response headers

There are six security headers that will let you increase your websites security relatively easily. Three of them are no-brainers and should be added to each website. These three can be added without any major repercussions:

  • X-Content-Type-Options: no-sniff
  • X-Frame-Options: sameorigin
  • X-XSS-Protection: 1; mode=block

In fact, Umbraco shows these settings in their Health Check dashboards. So, what are you waiting for?

Besides these three, there's several other headers that might be a little harder to implement correctly. But they will also provide more security.

  • Strict-Transport-Security: this header specifies that the website will always need to run using HTTPS so don't even bother trying HTTP. If you add the options max-age=31536000;preload:includesubdomains this header will remain valid for a year and includes all subdomains as well.
  • Content-Security-Policy: This is one of the more trickier headers to get right. It allows you to set which file types your website will load and from which domains they are allowed to originate. Any data that is not coming from one of the allowed domains or is not from the allowed file types will be blocked by the browser.
  • Public-Key-Pins: Another HTTPS related header. This one specifies which certificate needs to be trusted. By providing a finger print of the certificate, the browser can check if any malicious hoodlums are up to shenanigans by falsifying the certificate in an attempt to impersonate your website.

These last three headers are very important. But! Do take care and read up on how these headers work before applying them to a live site. These headers could easily make your website unavailable for visitors if implemented incorrectly. Check out to read more about the different headers that are available and to check which headers are already implemented on your own website.

Tip 4: verify your applications authentication attempts

It is a smart idea to log any authentication attempt that is trying to get access to your Umbraco environment or private data. This way it'll be easier to discover unauthorized users trying to gain entry by:

  • Checking if there are is a suspicious amount of (failed) login attempts at any given time
  • Checking if there's attempts to log in at odd times
  • Checking to see if any attempts were made from suspicious IP addresses
  • Seeing which users are making excessive login attempts
  • See which users have been locked out due to exceeding the login attempt limits

Umbraco offers a couple of events to log and check this behavior, but will not provide this functionality out of the box. Fortunately, we love sharing our knowledge and expertise in this area so we made a package that will handle the earlier bullet points for you. Just download and install the package and you can easily keep a watchful eye on your CMS's gateway!


Of course, keeping your Umbraco secure entails so much more than just these tips. But, even applying just these simple tricks will make a smashing impression during a security audit. Good luck!

Do you have questions about the security of your Umbraco website? Please feel free to contact us or email us on

Read more

Personalizing an Umbraco website