Securing your Umbraco site the right way

Published: June 08, 2017 (7 min read)

Securing your Umbraco site the right way

- Sebastiaan Janssen

Similar to Raabye's presentation, Sebastiaan's goal, as he stated bluntly, was to scare us all into doing more to protect our Umbraco sites from being hacked. One of the key phrases that really stuck with me was:

"On the internet, attack is easier than defense. The attacker just has to find one vulnerability - one unsecured avenue for attack - and gets to choose how and when to attack. It's simply not a fair battle." - Bruce Schneier

An important thing to note is the Umbraco consults with OWASP (Open Web Application Security Project) and does regular security audits to ensure they are following the best practices to keep the CMS secured. In addition to the 'out of the box' security protections, there are several additional ways to ensure you are doing the most to protect your sites. Staying on top of Umbraco patches and utilizing SSL Certificates are two of the most simple ways to stay on top of things. Umbraco has also updated the password requirements for users to 10 minimum characters and has updated the password hashing by default. Some of the even bigger takeaways from this particular talk were some of the websites and software that you can use to stay proactive in maintaining best practices with security. SSL Labs has automated tests that will run your server, browser, and website through a gambit of tests and give you feedback on how to improve. My new favorite website is This site allows you to check your email address against data breaches from a plethora of websites so you can find out if you've been compromised anywhere. HTTP Strict Transport Security (HSTS) is another great mechanism to help combat protocol downgrade attacks as well as cookie hijacking, allowing servers to declare that browsers should ONLY interact with a website using a secure HTTPS connection. If you're really looking at going deep into the protection of your website, you can check out  Content Security Policies (CSP) which help prevent cross-site scripting, clickjacking and other injection based attacks. And last, but not least, for those die-hard security fans out there: HTTP Public Key Pinning (HPKP). This however, can also be incredibly intimidating as you can brick your site for 2 years (or until everyone that has ever visited your website, re-installs their browser...). The pros of this security feature are that it tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of Man in the Middle attacks with fake certificates.