Security Concerns You Need To Consider When Developing an Umbraco website
Wed 28 December, 2016 / By Jon D Jones
Umbraco security should be a topic of huge importance for every website owner. Google blacklists over 20,000 websites each week and Cybercrime damages are expected to cost the world $6 trillion by 2021. If you are serious about your brand, your company and your website, then you need to consider some Umbraco security best practices.
It seems like every week there's a new update, framework, or design patterns being released and keeping up to date with good practices is a common challenge for web developers. With these new innovations come new vulnerabilities and threats. In this guide, I'll share some useful security advice to help you protect your website against hackers and malware.
Use HTTPS: HTTPS will create a secure connection between your client's browser and your website. HTTPS will prevent man-in-the-middle (MITM) attacks, where people try to intercept the data being sent from a customer to you. Getting HTTPS is relatively easy to set-up and the annual cost is minimal, so there really shouldn't be an excuse for not implementing it. HTTPS can also give you good SEO benefits, Umbraco SEO, HTTP or HTTPS?
Use Secure Cookies: Now your website's running over HTTPS you should also make sure that your cookies are secure. To make sure that your Cookies are secure, this can be done via your web.config.
Don't Leave Your Umbraco Editor URL Public: One massive vulnerability for hackers to try to ruin your brand, or steal data, is by logging into the Umbraco editor, and changing your content. When you release an Umbraco site, if anyone typed in www.website.com/umbraco browser they will see the Umbraco log-in screen. From here, they can attempt to brute-force their way into your website. One simple and quick way to secure your website is to disable the editor on your website. There are several ways to do this including, How To Change The Umbraco 7 Admin Url and How To Change The Umbraco Backend Url. My recommendation is to create a sub-domain like admin.website.com and only allow access to the Umbraco backend through this URL (see the second link above)
Do not use 'admin': Do not create a user account called 'Admin' for your main administrator account, as this will be the first account people will try and brute-force. Also, only add new user accounts with care. The least number of accounts that you allow access to Umbraco, the harder it will be to get into it. Also, don't use short and simple dictionary words for your password. Try to use random words with a mix of characters. In terms of passwords the longer they are the harder they are to crack, so a good minimum of 9 characters is a good recommendation.
User Permissions: If you have users that only update content, don't give everyone default 'admin' permissions. The more accounts you can lock down the more secure your website will become. The other benefit of locking Umbraco down is that if something goes wrong, it's a lot easier to figure out who did what.
Validate Any Form Data: One of the most common ways people can hack into your website is through forms. If you have a 'contact me' form, a log-in form, basically any form that a user can post information back to your server, you need to validate it. How you do this can vary, I always recommend using the default MVC anti-forgery token and attribute.
Validate Add Querystrings That Your Code Reads: The second easiest way to get into a system is via query string parameters. If you have custom code that reads query string data, then this is an area where people might be abe to use SQL injection to get data from your database. Any page that reads any type of query string, you also need to ensure these are locked down.
Never use HTML.RAW
Keep Umbraco Updated:
: If you use MVC then you should aim to never use @HTML.Raw. Whenever you use HTML.RAW you're not encoding your output safely, which can leave you vulnerable to cross-site scripting attacks (XSS).
Don't Write Sensitive Data Into The Logs
: If you use something like Log4Net
make sure that you don't write any sensitive data into your logs. In the past, I've seen several examples where usernames and passwords have been written to the logs when something went wrong. All a hacker would need to do is get a copy of those log files, they could log-in as your customers. On that matter, turn off detailed errors in your logs on release.
Don't Have Your Website Running In Debug Mode
: In your web.config set the compilation mode to release. Having your compilation mode set to release, allows people to trace output in a page, allows detailed error messages to be viewed remotely, creates more files in your temporary ASP.NET files folder, prevent caching as well as other sub-optimal things, so don't do it.
Don't Use the Default App_data
: Out of the box, Umbraco tends to write log files, Lucene indexes etc.. into the App_data directory within your webroot. To make your site more secure, these files shouldn't live within your Umbraco webroot, but somewhere outside. When they live within the webroot, there is a slight chance that someone externally could access your log files for example.
Don't Use Your Default SQL 'SA' Account
: When you set-up SQL create a specific user for your website and lock that SQL account down. In development, it's fine to use SA, but some developers seem to carry this over into production. If your SQL server runs multiple websites/contains multiple databases, if someone could get access to the 'SA' account details, they can then access all of your data.
Don't Write Inline SQL
: One way to prevent SQL injection within your website is to not try and query SQL yourself, instead use an ORM like Entity Framework. Using entity means you're never passing SQL scripts that have been concertinaed together back to the database.
Don't Send Passwords In Plain Text:
We all know two things, 1. sending passwords as plain text is stupid and 2. email isn't secure. If a hacker can get access to a customer's email accounts, using the emails search they can find the password and then compromise the account and gain access to the user's account on your website. If you run an e-commerce website, then someone might be able to steal credit card details, or, make fraudulent transactions.
Umbraco regularly releases updates and patches via their Nuget feed. In most situations, upgrading can take minutes. These updates include all the latest security patches and updates, so making sure you keep your website regularly updated is crucial for the security and stability of your Umbraco site.
Set directory permissions carefully:
Wrong directory permissions can be fatal, especially if you’re working in a shared hosting environment. Don't use the 'everyone' permission and don't give them 'read' and 'write'.
Don't Have Unused Ports Open On Your Server
: In your firewall make sure that you lock down every port that isn't used. Open ports can be a hacker's entry into your server.
Ensure you Cache your web pages correctly:
Asides for security, performance is another key aspect of any project. When you start thinking of making your website performant, you will also need to think about caching. When you start caching your web pages, however, you can add a new security concern, accidently caching sensitive information and showing it to other people. For example, user 1 logs into his account area on your website, your server processes the request and caches the page. User 2 then visits your website and tries to view the same page and ends off seeing the cached page with user 1's details. As I'm hoping this details, caching is a very complex and involved subject and the in's and out's cover more material than I can cover here, if you want to cache your pages, I would recommend starting with UMBRACO CACHING
. On a similiar note, search results pages should only index public content!
Use A Web Application Firewall (WAF):
A WAF can be used to prevent DDOS attacks on your website. The firewall blocks all malicious traffic before it even reaches your website. Depnding on your set-up you might have an extensive in-house solution, you can also use service like Cloudflare, that not only provide a WAF but also provides a CDN solution.