Five New Optimizely Certifications are Here! Validate your expertise and advance your career with our latest certification exams. Click here to find out more
AI OnAI Off
Navigation [hide]
[expand]
- Add-ons
- Architecture
- BLOB storage and providers
- Caching
- Client resources
- Configuration
- Configuring episerver
- Configuring episerver.dataStore
- Configuring episerver.framework
- Configuring episerver.packaging
- Configuring episerver.search
- Configuring episerver.shell
- Configuring module.config
- Configuring staticFile
- Configuring episerver.basicAuthentication
- Configuring .NET SignalR
- Configuring Image Service
- Configuring link validation
- Reading application settings programmatically
- Content
- Page types and templates
- Block types and templates
- IContentRepository and DataFactory
- Persisting IContent instances
- Synchronization
- Validation
- ContentType attribute
- Grouping content types and properties
- EditHint in MVC
- Creating a page programmatically
- Selecting content
- Converting page types for pages
- Refactoring content type classes
- Multilingual content
- Properties
- Built-in property types
- Restricting content types in properties
- Writing custom attributes
- Single or multiple list options
- Built-in auto-suggestion editor
- Property settings
- Property attributes
- Using a block as a property
- Property controls
- Custom properties
- Links
- Assets and media
- Media types and templates
- Working with media
- Content assets and folders
- Custom editing preview for media
- Providers
- Deployment
- Planning deployments
- Installing database schema
- Setting up multiple sites
- Content Delivery Network
- Configuring your email server
- Automatic schema updates
- Deployment scenarios
- Mirroring
- Storing UTC date and time in the database
- Database mode
- Dynamic content
- Configuring dynamic content
- Using interfaces to render Dynamic Content
- Creating UI settings for dynamic content
- Creating a plug-in
- Creating a Hello World dynamic content
- Dynamic data store
- Configuring Dynamic Data Store
- Indexing properties
- Mapping stores
- Supporting LINQ
- Identity and Date and time management
- Editing
- Event management
- Forms
- Globalization
- Determining languages
- Globalization scenarios
- Adding languages
- Localization service
- Localizing the user interface
- Configuring a custom localization provider
- Initialization
- Logging
- Personalization
- Projects
- Rendering
- TemplateDescriptor and tags
- Selecting templates
- Display options
- Display channels
- Using data source controls
- Adding edit hints without using Property web control
- Navigation menus and listings
- Creating a main menu
- Creating a submenu
- Reports
- Routing
- Scheduled jobs
- Search
- Search integration
- Searching and filtering
- Installing and deploying Search Service
- About Episerver full-text search client
- About Episerver full-text search service
- Configuring Episerver full-text search client
- Configuring Episerver full-text search service
- Searching for pages based on page type
- Adding search providers
- Security
- Authentication and authorization
- Virtual roles
- Configuring Active Directory membership provider
- Recommendations for ASP.NET security settings
- Securing edit and admin user interfaces
- Federated security
- Forms authentication
- OWIN authentication
- Configuring mixed-mode OWIN authentication
- Permissions to functions
- Protecting users from session hijacking
- Managing cookies on the website
- EPiServer AspNetIdentity
- Integrate Azure AD using OpenID Connect
- User interface
- Context-sensitive components
- Service locator
- Describing content in the UI
- Dialogs
- Shell profile
- Store architecture
- Drag-and-drop
- Message service pool
- Publish and subscribe messaging system
- Introduction to Dojo
- Using jQuery
- Plugging in a gadget
- Creating a component
- Extending the navigation
- Dashboard gadgets
- Controller options
- HTML helpers
- Client API and gadget instance
- Gadget styling
- Configuring Shell modules
- Setting up your environment
- Developing gadgets, step 1
- Developing gadgets, step 2
- Developing gadgets, step 3
- Developing gadgets, step 4
- Command Pattern
- Object editing
- Views
- Creating a view
- Creating a container
- Creating a component
- Creating a component for a Web Form
- Plugging in components into a view
- Modifying a view through configuration
- Hiding or controlling access to a component
- Replacing a component globally
- Configuring the dashboard
- WebSocket support
- User notifications
- Virtual path providers
Area:
Optimizely CMS
ARCHIVED This content is retired and no longer maintained. See the latest version here.
Security
Episerver is designed to meet high standards regarding security features within a wide range of scenarios. Login security in Episerver CMS is based on the authentication and authorization system uses the built-in membership and role system in ASP.NET. This document provides an overview of security management in Episerver. The Episerver platform also supports ADFS/SSO and OWIN.
Security management in Episerver CMS
The Episerver platform handles the following common security concerns.
- Authentication and authorization. The authentication in Episerver CMS is based on the ASP.NET built-in framework for role and membership providers. Episerver CMS uses a standard API that makes it easy to create your own provider for any type of user database, and third-party providers.
Note: Where and how user credentials are stored, depends on the authentication provider used. The separation of authentication and authorization increases flexibility. Making a call to a provider lets you delegate security operations to a separate machine, thereby increasing scalability. For infomation, see Authorization and Authentication. Episerver also supports single sign-on and federated claims based authenticaton.
- Injection projection. Episerver CMS code uses parameterized APIs so that injection attacks cannot be carried out from untrusted input. There are no code paths in Episerver CMS that uses untrusted data in XML-related calls.
- Cross-site scripting (XSS). In Episerver CMS, user input is filtered and validated to prevent XSS issues. Depending on the actual piece of information, Episerver applies HTML encoding to the outgoing data stream to protect from XSS attacks. The editorial and administrative interfaces are areas where you can post HTML and scripts and use as-is on a web page. Episerver CMS relies on its authorization features to ensure that only trusted users can provide content.
- Broken authentication and session management. The Episerver CMS authentication and authorization system is based on the ASP.NET built-in framework for role and membership. Episerver CMS does not rely on any session data, which increases security and improves scalability and performance because a browser session does not need server affinity from a security perspective. See also Protecting Users From Session Hijacking.
- Insecure direct object references. In Episerver CMS, the references always goes through at least one layer of indirection with appropriate access controls in place.
- Cross-site request forgery (CSRF). Episerver CMS has a CSRF prevention mechanism that automatically detects forged requests for system pages. The event validation mechanism in ASP.NET also is enabled for these pages. For the site pages, Episerver supports and provides optional anti-forgery validation and the event validation.
- Security misconfiguration. Any configuration in Episerver CMS is designed with secure by default in mind. Strong security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Each of these settings should be defined, implemented, and maintained because many are not shipped with secure enough defaults.
- Insecure cryptographic storage. Episerver CMS uses verified, strong algorithms. Only a small part of the Episerver CMS configuration information may contain sensitive information, such as the ConnectionStrings section. You can encrypt this information by the built-in .NET framework features. Episerver stores other system assets in an SQL database with full support of the native encryption mechanisms of the database.
- Failure to restrict URL access. Sensitive areas of Episerver CMS, such as the edit and admin user interfaces, are protected by default with the standard configuration. Information presented on public-facing web pages are subject to authorization based on the content that is displayed. Episerver CMS never relies on security through a secret URL.
- Transport layer protection. The single-most common piece of sensitive information that is transmitted on the network are the user credentials (username and password). Episerver CMS fully supports the use of SSL (HTTPS protocol), and the use of SSL is strongly recommended.
- Unvalidated redirects and forwards. There is an absolute minimum of redirects in Episerver CMS because they are undesirable for security and performance. Existing redirects are based on internal data or sanitized information.
- Virus protection. Episerver CMS relies on third-party products for virus protection. Episerver never executes files that are uploaded to the asset manager, preventing potential viruses inside files to spread to Episerver.
ADFS/SSO and OWIN support
The Episerver platform provides support for ADFS/SSO, and the OWIN standard interface between .NET web servers and applications. The following topics provide more information.
Related topics
Last updated: Sep 21, 2015
