08 Jun, 2017 | Fyin.com

Securing your Umbraco site the right way

- Sebastiaan Janssen

Similar to Raabye's presentation, Sebastiaan's goal, as he stated bluntly, was to scare us all into doing more to protect our Umbraco sites from being hacked. One of the key phrases that really stuck with me was:

"On the internet, attack is easier than defense. The attacker just has to find one vulnerability - one unsecured avenue for attack - and gets to choose how and when to attack. It's simply not a fair battle." - Bruce Schneier

An important thing to note is the Umbraco consults with OWASP (Open Web Application Security Project) and does regular security audits to ensure they are following the best practices to keep the CMS secured. In addition to the 'out of the box' security protections, there are several additional ways to ensure you are doing the most to protect your sites. Staying on top of Umbraco patches and utilizing SSL Certificates are two of the most simple ways to stay on top of things. Umbraco has also updated the password requirements for users to 10 minimum characters and has updated the password hashing by default. Some of the even bigger takeaways from this particular talk were some of the websites and software that you can use to stay proactive in maintaining best practices with security. SSL Labs has automated tests that will run your server, browser, and website through a gambit of tests and give you feedback on how to improve. My new favorite website is https://haveibeenpwned.com/. This site allows you to check your email address against data breaches from a plethora of websites so you can find out if you've been compromised anywhere. HTTP Strict Transport Security (HSTS) is another great mechanism to help combat protocol downgrade attacks as well as cookie hijacking, allowing servers to declare that browsers should ONLY interact with a website using a secure HTTPS connection. If you're really looking at going deep into the protection of your website, you can check out  Content Security Policies (CSP) which help prevent cross-site scripting, clickjacking and other injection based attacks. And last, but not least, for those die-hard security fans out there: HTTP Public Key Pinning (HPKP). This however, can also be incredibly intimidating as you can brick your site for 2 years (or until everyone that has ever visited your website, re-installs their browser...). The pros of this security feature are that it tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of Man in the Middle attacks with fake certificates.


Posted By: Scott
Scott

Related Articles

Blog Changes Coming to Keyword Match Types in Google Ads
Changes Coming to Keyword Match Types in Google Ads

Google has announced that as of September 2019, phrase match and broad match modifier keywords will be matching to search queries that include close variants. So how does this impact your campaigns? Let me explain.


Blog Why Your Website Should be Hosted Externally
Why Your Website Should be Hosted Externally

Life is full of DIY projects that you can do without hiring a professional. Web hosting, however, seldom falls into that category.


Blog Comparison of Umbraco CMS and Wordpress
Apples and Oranges? A Comparison of Umbraco CMS and WordPress

Yogi Berra once said, "No one goes there nowadays, it’s too crowded." Is the most popular tool always the best way to go? Let's discuss.


moraine_lake_17092005.jpg