January 23, 2018 by Una Verhoeven

Sitecore Security and Strengthening Your Sitecore Platform

Looking back on 2017, headlines about data breaches and data thefts have dominated the news. Web security is at the front of every business persons mind; Sitecore has described several key points for making your platform more secure, but I want to focus on just a few. 

What

Info

Source

Strong password policy

Sitecore uses the Microsoft ASP.NET Membership Provider

https://msdn.microsoft.com/en-us/
library/
system.web.security.
membership_properties(v=vs.110).aspx

Protect connection strings

Your data connections, if possible should be encrypted.

https://doc.sitecore.net/
sitecore_experience_platform/
setting_up_and_maintaining/
security_hardening/security_considerations

Disable SQL Server access from XSLT

You should disablenxslExtension helper since you are not using XSLT renderings

https://doc.sitecore.net/
sitecore_experience_platform/
setting_up_and_maintaining/security_hardening/
configuring/disable_sql_server_access_from_xslt

Secure Telerik controls

These controls are only used on CM machines and the web.config patches should be only applied there

https://doc.sitecore.net/
sitecore_experience_platform/
setting_up_and_maintaining/
security_hardening/configuring/
secure_the_telerik_controls

PhantomJS

PhantomJS is used by Sitecore to generate screenshots. You should limit the access to this executable

https://doc.sitecore.net/
sitecore_experience_platform/
setting_up_and_maintaining/security_hardening/
configuring/phantomjs_and_security_hardening

Protect media requests

This feature restricts media URLs that contain dynamic image-scaling parameters, so that only server-generated requests can be processed.

https://doc.sitecore.net/
sitecore_experience_platform/
setting_up_and_maintaining/
security_hardening/
configuring/protect_media_request

Apart from the points above, there are several things you can do to make your site more secure.

HTTPS

Believe it or not, lots of sites nowadays are still not using HTTPS, or, even worse, they are using it partly (for example, everything behind the login is secured and the rest of the website is not). Regarding Sitecore, the best practise is to use HTTPS for both of your CD and CM machines.

1. Ensure that you have X509 certificates

2. Create the associated bindings on your Sitecore IIS instances

3. Make changes in the web.config

<system.web>
<httpcookies httponlycookies="true" requiressl="true" lockitem="true"/>
</system.web>

 

Headers

Header Name Property and Configs
Remove X-Aspnet-Version HTTP header

<system.web>

<httpRuntime enableVersionHeader ="false"/>

</system.web>

Remove X-Powered-By HTTP header

<httpProtocol>

<customHeaders>

<remove name="X-Powered-By" />

</customerHeaders>

<httpProtocol>

Remove X-ASPNetMvc-Version HTTP header

MvcHandler.DisableMvcResponseHeader = true;

<system.web>

<httpRuntime enableVersionHeader="false" />

</system.web>

Change X-Content-Type-Options nosniff
Set X-XSS-Protection to 1; mode=block
Set Referrer Policy to no-referrer-when-downgrade
Use HTTP Strict-Transport-Security response header Strict-Transport-Security

 

Content Security Policy (CSP)

CSP is an added layer of security that helps to detect and prevent certain types of attacks, like Cross Site Scripting (XSS) and data injection attacks. These attacks can be used from data theft to distribution of malware. Full documentation is available here:

To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header.

Example:

Content-Security-Policy: default-src 'self' *trusted_website.com

You can also check out this great example and reading material on CSP written by Troy Hunt.

How to test

When you open a browser console, you should not be able to execute Cross Site Scripting.

Note: Safari doesn’t like CSP. Since CSP is browser based, your testing should cover more than just Chrome and Firefox. Safari, for example, treats CSP quite differently than the other two browsers. Full detailed info has been described by Scott Helme.   

What to do about all the JS links that marketers place

If you are using Sitecore already, there is not much that other frameworks can do that you don’t have already built in. The more 3rd party frameworks you add, the more you need to think about security, GDPR and overall site performance. No one likes a site which takes time to load, especially on mobile devices.

Report URI

Report URI checks the monitoring of security policies like CSP and HPKP. Note: last year, it was announced that Google will no longer support HPKP and it will be deprecated in May of 2018. You can read about that here. 

Conclusion

  • When working on a project, plan your budget to facilitate security hardening.
  • Make sure your site and data are safe - once lost, the trust of your visitors is hard to regain. 

If you have any questions, please feel free to reach out!

Keep in Touch and Stay Informed

Get updates, industry reports, white papers and more Hedgehog love.