08 Jun, 2017 | Fyin.com

Securing your Umbraco site the right way

- Sebastiaan Janssen

Similar to Raabye's presentation, Sebastiaan's goal, as he stated bluntly, was to scare us all into doing more to protect our Umbraco sites from being hacked. One of the key phrases that really stuck with me was:

"On the internet, attack is easier than defense. The attacker just has to find one vulnerability - one unsecured avenue for attack - and gets to choose how and when to attack. It's simply not a fair battle." - Bruce Schneier

An important thing to note is the Umbraco consults with OWASP (Open Web Application Security Project) and does regular security audits to ensure they are following the best practices to keep the CMS secured. In addition to the 'out of the box' security protections, there are several additional ways to ensure you are doing the most to protect your sites. Staying on top of Umbraco patches and utilizing SSL Certificates are two of the most simple ways to stay on top of things. Umbraco has also updated the password requirements for users to 10 minimum characters and has updated the password hashing by default. Some of the even bigger takeaways from this particular talk were some of the websites and software that you can use to stay proactive in maintaining best practices with security. SSL Labs has automated tests that will run your server, browser, and website through a gambit of tests and give you feedback on how to improve. My new favorite website is https://haveibeenpwned.com/. This site allows you to check your email address against data breaches from a plethora of websites so you can find out if you've been compromised anywhere. HTTP Strict Transport Security (HSTS) is another great mechanism to help combat protocol downgrade attacks as well as cookie hijacking, allowing servers to declare that browsers should ONLY interact with a website using a secure HTTPS connection. If you're really looking at going deep into the protection of your website, you can check out  Content Security Policies (CSP) which help prevent cross-site scripting, clickjacking and other injection based attacks. And last, but not least, for those die-hard security fans out there: HTTP Public Key Pinning (HPKP). This however, can also be incredibly intimidating as you can brick your site for 2 years (or until everyone that has ever visited your website, re-installs their browser...). The pros of this security feature are that it tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of Man in the Middle attacks with fake certificates.


Posted By: Scott
Scott

Related Articles

Blog Team Profile: Jason Thomas
Team Profile: Jason Thomas

Next up in our series of team profiles: meet Jason Thomas! Jason is a developer extraordinaire, all-around nice guy, and the king of typos. He's a true asset to the FYIN team . . . whether he admits it or not.


Blog Website Translations and Umbraco’s Language Feature
Website Translations and Umbraco’s Language Feature

The world seems to grow smaller as our sense of global connectedness grows. Language is one of the few hurdles between us but even that is getting easier to manage thanks to technology. Let's talk about how you can present your web content in different languages.


Blog E-Commerce: What You Need to Know About Setting Up Digital Payments
E-Commerce: What You Need to Know About Setting Up Digital Payments

Payment gateway? Merchant account? What does it all mean? Whether you want to sell widgets or wallpaper online, you'll need to have the financial building blocks in place before you hang the "open for business" sign. Let's talk about a few definitions.


moraine_lake_17092005.jpg