A blue and pink lock and screwdriver

Security Features

More eyes on the code 

Security is key in any web application today. And Umbraco takes great pride in being as secure as possible. Being based on the ASP.NET Core framework is a great start with a host of security features out-of-the-box and being open about how these are implemented in Umbraco lets developers understand exactly what they are working with. Should any concerns or suspicions arise, they can be immediately investigated and we take all security issues raised very seriously and address them as quickly as possible while still being cautious not to reveal information that could harm anyone using Umbraco.

By making the source code available, we also make it easy for everyone to perform security audits on Umbraco and we’re happy to see both external security companies, partners, and end clients provide the results of their audits.

We firmly believe that being open-source is much more secure than closed source. 

Feature available in: 

✅  CMS: Out-of-the-box 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✅  Uno: Out-of-the-box 

Password security 

Creating, updating, and managing passwords is key functionality and with Umbraco, you get great functionality and secure login from the get-go.

On top of that, it’s also possible to configure your own password rules for editors to increase security for your installation. Do you want to force passwords to be 32 characters? Require 5 special characters? Go right ahead.

Both backoffice users and frontend login (Members) are implemented on top of ASP.NET Core Identity that provides a long list of security features and easy integration with third-party authentication systems and tools. So if you’re looking to add 2-factor authentication, use Oauth, and/or integrate with member directories such as Active Directory or Office365, this is all available. 

 

Feature available in: 

✅  CMS: Out-of-the-box 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✅  Uno: Out-of-the-box 

Inactivity triggered log-out 

Having sensible defaults for security is a good starting point. In Umbraco CMS you are automatically logged out after 20 minutes of inactivity in the backoffice. You might have security policies that dictate otherwise, or simply just think it should work differently, and you can of course configure this to your liking (and compliance). 

The same goes for a long list of other security settings for users that can be configured on a granular level, such as whether usernames should be strictly email address or screen name, allow password reset, and much more.

Feature available in: 

✅  CMS: Out-of-the-box 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✅  Uno: Out-of-the-box 

Security Health Check 

The Umbraco Security Health Check is there for admins and developers in order to ensure the basic security standards are met. It will check various commonly known hi-jacking and scripting vectors as well as ensure HTTPS is properly configured for the environment 🔒

You can add your own custom Security Health Checks to be part of the Security Health Check suite of your Umbraco installation. It is also possible to execute the Health Check on a schedule and send reports/notifications via email, to Slack channels, and the likes.

Feature available in: 

✅  CMS: Out-of-the-box 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✅  Uno: Out-of-the-box 

Support for HTTPS 

Umbraco provides full support for the HTTPS protocol, complete with the ability to configure multiple hostnames and certificates for multilingual and multi-tenancy installations. 

Our SaaS platform, Umbraco Cloud, offers free HTTPS certificates for all sites hosted there including full coverage for custom hostnames and automatic renewal of certificates. You never have to worry about your certificates expiring again. 

Feature available in: 

✅  CMS: Out-of-the-box 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✅  Uno: Out-of-the-box 

OAuth and custom OAuth 

Umbraco supports OAuth and makes it easy to implement through ASP.NET Core Identity for both editors and backoffice users as well as frontend authentication. There’s a wide range of OArth providers that have API and packages ready for .NET applications such as Umbraco.

All our SaaS offerings on Umbraco Cloud are protected via OAuth using Umbraco ID to make it easier to keep all your Umbraco projects safe. Umbraco ID also makes it a breeze working on your project thanks to single sign-on (SSO), whether you’re working on a server or local environment.

Feature available in: 

✔️  CMS: Custom/Plugin/3rd party 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✅  Uno: Out-of-the-box 

Two-factor authentication (2FA) 

We all know how important security is on the web - 2FA is one of the most effective ways of adding an additional layer of security to your site. You can enable 2FA for both Umbraco backoffice and for website visitors (if they have login capabilities).

Feature available in: 

✔️  CMS: Custom/Plugin/3rd party 

✔️  Cloud: Custom/Plugin/3rd party 

✔️  Heartcore: Custom/Plugin/3rd party 

✔️  Uno: Custom/Plugin/3rd party 

Single sign-on (SSO) 

All our SaaS offerings on Umbraco Cloud, use single sign-on with Umbraco ID to make it easier to keep all your Umbraco projects safe and working with them a breeze, whether you’re working on a server or local environment.

Feature available in: 

✔️  CMS: Custom/Plugin/3rd party 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✅  Uno: Out-of-the-box 

Regular penetration testing 

We conduct 3rd party penetration tests. Apart from doing regular internal testing, every 6 months we have an external security company doing thorough penetration testing of Umbraco CMS and our SaaS offerings to detect possible vulnerabilities. Based on the results of these tests we are able to perform any necessary actions.

If any critical issues are found, we follow our internal procedure (see next).

Feature available in: 

✅  CMS: Out-of-the-box 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✅  Uno: Out-of-the-box 

Handling security breaches 

Besides running our internal tests and 3rd party penetration tests to identify issues, we've made it easy for users to report a vulnerability in Umbraco (click the link to see the procedure in detail).

Once a vulnerability has been identified and it's verified to be a part of the core CMS code, our team will determine the severity level of the issue and escalate it accordingly.

Our procedure depends on severity level, but goes through the same main steps:

  1. Decide what and how to notify our users of the issue without it being obvious how to exploit it (to avoid it being exploited in the wild)
  2. Involve the relevant teams at Umbraco HQ to fix the issue
  3. Communicate to our users that a new security patch is coming, so they're ready to upgrade when it's released
  4. Release the patch and communicate to all of our users that the patch is released

Feature available in: 

✅  CMS: Out-of-the-box 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✅  Uno: Out-of-the-box 

Customizable user roles 

Umbraco scales from a single editor to large content teams. And thanks to its advanced yet intuitive user management features, it’s never been simpler to invite new team members and control what they can do in the system. You decide who should have publishing rights as well as who should be given editing access to certain parts of the content.

And to make it even simpler for you, it can all be managed through groups of users, making maintenance as simple as possible and saving you from spending time on setting up individual permissions every time you get a new team member.

Feature available in: 

✅  CMS: Out-of-the-box 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✅  Uno: Out-of-the-box 

Member management 

Members are used for registering and authenticating external users of an Umbraco installation (i.e. forum members, intranet users, and so forth).

The purpose of having members on your page is to allow the people that use your page to set up a personal account on the front end of your page. This in turn allows for a better overview of the page, because you in the backoffice have the option to sort these members into member groups. By doing that you can decide what member groups have access to certain things on the front end.

With this, you can create everything from a forum, an intranet to having hidden content in Umbraco that requires authentication (Member login). All this can be mixed and matched with Umbraco’s other security features such as Oauth, 2-factor authentication, and so forth.

Feature available in: 

✅  CMS: Out-of-the-box 

✅  Cloud: Out-of-the-box 

✅  Heartcore: Out-of-the-box 

✔️  Uno: Custom/Plugin/3rd party 

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advice, go ahead and ask the Umbraco community on Our.

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox