Five New Optimizely Certifications are Here! Validate your expertise and advance your career with our latest certification exams. Click here to find out more
AI OnAI Off
Navigation [hide]
[expand]
- Add-ons
- Architecture
- BLOB providers
- Caching
- Client resources
- Configuration
- Configuring .NET SignalR
- Configuring episerver
- Configuring episerver.basicAuthentication
- Configuring episerver.dataStore
- Configuring episerver.framework
- Configuring episerver.packaging
- Configuring episerver.search
- Configuring episerver.shell
- Configuring Image Service
- Configuring link validation
- Configuring Live Monitor
- Configuring module.config
- Configuring staticFile
- Reading application settings programmatically
- Content
- Providers
- Properties
- Built-in property types
- Built-in auto-suggestion editor
- Restricting content types in properties
- Single or multiple list options
- Writing custom attributes
- Custom properties
- Property attributes
- Property controls
- Property settings
- Assets and media
- Content assets and folders
- Custom editing preview for media
- Media types and templates
- Working with media
- Synchronization
- Selecting content
- Refactoring content type classes
- Persisting IContent instances
- Block types and templates
- Content
- Content Type attributes
- Converting page types for pages
- Creating a page programmatically
- Creating page templates and block controls
- Edit hints in MVC
- IContentRepository/DataFactory interface
- Links
- Localizing the user interface
- Page types and templates
- Deployment
- About the database
- Deployment Center
- Deployment scenarios
- Development environment
- Mirroring
- Planning deployments
- Setting up multiple sites
- Dynamic content
- Configuring dynamic content
- Creating a Hello World dynamic content
- Creating a plug-in
- Creating UI settings for dynamic content
- Using the interfaces
- Dynamic data store
- Editing
- EPiServer CMO
- Installing and configuring the aggregation service
- Integrating EPiServer CMO with external applications
- Configuring Live Monitor for multiple bindings
- Configuring the statistics handler
- Event management
- Globalization
- Initialization
- Localization
- Logging
- Personalization
- Rendering
- Adding edit hints without using Property web control
- Creating a main menu
- Creating a submenu
- Display channels
- Display options
- Navigation menus and listings
- Selecting template based on tag
- Template descriptor
- Using data source controls
- Reports
- Routing
- Scheduled jobs
- Search
- About EPiServer Full-Text Search Client
- About EPiServer Full-Text Search Service
- Adding search providers
- Configuring EPiServer Full-Text Search Client
- Configuring EPiServer Full-Text Search Service
- Installing and deploying Search Service
- Search integration
- Searching and filtering
- Searching for pages based on page type
- Security
- AspNet Identity OWIN authentication
- Authentication and authorization
- Configuring Active Directory membership provider
- Configuring Web Services authentication
- Federated security
- Forms authentication
- Managing cookies on the website
- Mixed mode OWIN authentication
- OWIN authentication
- Permissions to functions
- Protecting users from session hijacking
- Recommendations for ASP.NET security settings
- Securing edit and admin user interfaces
- Virtual roles
- User interface
- Command Pattern
- Context-sensitive components
- Creating a component
- Describing content in the UI
- Developing gadgets
- Dialogs
- Drag-and-drop
- Extending edit view
- Extending the navigation
- Introduction to Dojo
- Message service pool
- Object editing
- Publish and subscribe messaging system
- Service locator
- Shell profile
- Store architecture
- Technical overview
- Using jQuery
- Views
- Virtual path providers
- Workflows
- XForms
Area:
Optimizely CMS
ARCHIVED This content is retired and no longer maintained. See the latest version here.
Security
Introduction
EPiServer CMS is designed to meet high standards regarding security features within a wide range of scenarios. Login security in EPiServer is based on the authentication and authorization system uses the built-in membership and role system in ASP.NET. This section provides an overview of security management in EPiServer CMS.
Security management in EPiServer CMS
In the following we describe some common security concerns, and the way they are handled in the EPiServer platform.
- Authentication and authorization. The authentication in EPiServer CMS is based on the ASP.NET built-in framework for role and membership providers. EPiServer CMS uses a standard API which makes it easy to create your own provider for any type of user database, as well as third-party providers. Note that where and how user credentials are stored, depends entirely on the authentication provider used. The separation of authentication and authorization increases flexibility. Making a call to a provider makes it possible to delegate security operations to a separate machine, thereby increasing scalability. Find out more about this area in the section Authorization and Authentication. Single sign-on and federated claims based authenticaton is also supported.
- Injection projection. All code in EPiServer CMS use parameterized APIs to make sure that injection attacks cannot be carried out from untrusted input. There are no code paths in EPiServer CMS that uses untrusted data in XML-related calls.
- Cross-site scripting (XSS). In EPiServer CMS, user input is filtered and validated to prevent these issues. Depending on the actual piece of information, HTML encoding is also applied to the outgoing data stream to protect from XSS attacks. The editorial and administrative interfaces are areas where HTML and scripts are sometimes allowed to be posted and used as-is on a web page. Here, EPiServer CMS relies on its authorization features to ensure that only trusted users can provide content.
- Broken authentication and session management. The authentication and authorization system in EPiServer CMS is based on the ASP.NET built-in framework for role and membership. EPiServer CMS does not rely on any session data, which increases security as well as improves scalability and performance since a browser session does not need server affinity from a security perspective. See also the section Protecting Users From Session Hijacking.
- Insecure direct object references. In EPiServer CMS the references always goes through at least one layer of indirection with appropriate access controls in place.
- Cross-site request Forgery (CSRF). EPiServer CMS has a CSRF prevention mechanism that automatically detects forged requests for all system pages. The event validation mechanism in ASP.NET is also enabled for these pages. For the site pages, EPiServer supports and provides optional anti-forgery validation as well as the event validation.
- Security misconfiguration. Any configuration in EPiServer CMS is designed with “secure by default” in mind. Strong security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure enough defaults.
- Insecure cryptographic storage. EPiServer CMS uses verified, strong algorithms. Only a small part of the EPiServer CMS configuration information may contain sensitive information such as the ”ConnectionStrings” section. This information can optionally be encrypted by the built-in .NET framework features. Other system assets are stored in an SQL database with full support of the native encryption mechanisms of the database.
- Failure to restrict URL access. Sensitive areas of EPiServer CMS such as the edit and admin user interfaces, are protected by default with the standard configuration. Information presented on public-facing web pages are subject to authorization based on the content that is displayed. In no case does EPiServer CMS rely on security through a secret URL.
- Transport layer protection. The single most common piece of sensitive information that is transmitted on the network are the user credentials (username and password). EPiServer CMS fully supports the use of SSL (HTTPS protocol), and the use of SSL is strongly recommended.
- Unvalidated redirects and forwards. There is an absolute minimum of redirects in EPiServer CMS since they are undesirable both from a security standpoint as well as performance. Existing redirects are based on internal data or sanitized information.
- Virus protection. EPiServer CMS relies on third-party products for virus protection. Note that files that are uploaded to the asset manager in EPiServer, will never be executed by the system, preventing potential viruses inside files to spread from there to EPiServer.
See also
Last updated: Mar 31, 2014
