Securing your Umbraco site the right way

08 Jun, 2017 |

Securing your Umbraco site the right way

- Sebastiaan Janssen

Similar to Raabye's presentation, Sebastiaan's goal, as he stated bluntly, was to scare us all into doing more to protect our Umbraco sites from being hacked. One of the key phrases that really stuck with me was:

"On the internet, attack is easier than defense. The attacker just has to find one vulnerability - one unsecured avenue for attack - and gets to choose how and when to attack. It's simply not a fair battle." - Bruce Schneier

An important thing to note is the Umbraco consults with OWASP (Open Web Application Security Project) and does regular security audits to ensure they are following the best practices to keep the CMS secured. In addition to the 'out of the box' security protections, there are several additional ways to ensure you are doing the most to protect your sites. Staying on top of Umbraco patches and utilizing SSL Certificates are two of the most simple ways to stay on top of things. Umbraco has also updated the password requirements for users to 10 minimum characters and has updated the password hashing by default. Some of the even bigger takeaways from this particular talk were some of the websites and software that you can use to stay proactive in maintaining best practices with security. SSL Labs has automated tests that will run your server, browser, and website through a gambit of tests and give you feedback on how to improve. My new favorite website is This site allows you to check your email address against data breaches from a plethora of websites so you can find out if you've been compromised anywhere. HTTP Strict Transport Security (HSTS) is another great mechanism to help combat protocol downgrade attacks as well as cookie hijacking, allowing servers to declare that browsers should ONLY interact with a website using a secure HTTPS connection. If you're really looking at going deep into the protection of your website, you can check out  Content Security Policies (CSP) which help prevent cross-site scripting, clickjacking and other injection based attacks. And last, but not least, for those die-hard security fans out there: HTTP Public Key Pinning (HPKP). This however, can also be incredibly intimidating as you can brick your site for 2 years (or until everyone that has ever visited your website, re-installs their browser...). The pros of this security feature are that it tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of Man in the Middle attacks with fake certificates.

Posted By: Scott

Related Articles

Blog Case Study: Room to Read
Case Study: Room to Read

Everyone knows that children are the future, and Room to Read strives to enhance the lives of children across the globe through critical literacy programs. FYIN was proud to partner with Room to Read to make their digital presence all that it can be.

Blog Team Profile: Jason Thomas
Team Profile: Jason Thomas

Next up in our series of team profiles: meet Jason Thomas! Jason is a developer extraordinaire, all-around nice guy, and the king of typos. He's a true asset to the FYIN team . . . whether he admits it or not.

Blog Website Translations and Umbraco’s Language Feature
Website Translations and Umbraco’s Language Feature

The world seems to grow smaller as our sense of global connectedness grows. Language is one of the few hurdles between us but even that is getting easier to manage thanks to technology. Let's talk about how you can present your web content in different languages.