In today’s world, a continuous focus on security is essential. No doubt. That’s why following best practice and performing regular testing is all part of our security operations, ensuring that you can use our products and services with peace of mind.
Security and Open Source
The Umbraco CMS is Open Source which means that the core code is open and accessible to everyone. This, however, does not mean that everyone is able to alter the code. We, Umbraco HQ, ensures that the core of the CMS, Umbraco Cloud, Forms and Courier, stays as bullet-proof as possible - and if a vulnerability is discovered, we make sure to fix the vulnerability automatically (Umbraco Cloud) and provide information about manual fixes in a timely and secure manner.
3rd party penetration tests
Apart from doing regular internal testing, every 6th month we have an external security company doing thorough penetration testing of Umbraco to detect possible vulnerabilities. Based on the results of these tests we are able to perform any necessary actions.
How to report a vulnerability
If you through your internal use and testing of Umbraco come across a vulnerability, we’d, of course, like to hear about it. In order to take care of the vulnerability in the most responsible manner, we ask you to follow the guidelines for how to report a vulnerability.
Security in Umbraco Cloud
As part of the Umbraco Cloud offering, we've added extra security-related features to your project set-up. Features that, for example, automatically make sure your sites are always running the latest, most secure version of Umbraco.
Security tips for you
We have structured ways of testing and keeping the Umbraco foundation secure. Due to the open-source nature of Umbraco, there are also ways for you to ensure that your project is set up in the best way possible security-wise. That’s why we have gathered a number of tips for you on this right here:
Umbraco Security Features
- Automated Security updates (Umbraco Cloud) ✔️
- Automated HTTPS certificate (Umbraco Cloud) ✔️
- Hashed passwords ✔️
- Support for HTTPS ✔️
- Support for OAuth login system ✔️
- Possible to set-up password rules ✔️
- Possible to implement two-factor authentication ✔️
- Default log-out of backoffice due to inactivity ✔️
- Built-in security Heath-check ✔️