Security checklist - deploying a website
This is a security deployment checklist – things to do before you deploy your site to a live environment.
Web.config:
Check | Description | Details |
Debug mode is turned off to prevent leaks of sensitive information. | ||
The error messages of websites and application-server default error messages do not display detailed information to users. | ||
Sensitive sections of the configuration file are encrypted (mainly the connection string). | ||
Access to sensitive directories is forbidden to protect the servers against enumeration attacks. | ||
Cookieless authentication is disabled to prevent session hijacking. | ||
The HttpOnlyCookies flag is set so that the cookies are accessible only from the server-side code (this behavior is set by default). |
IIS:
Check | Description | Details |
Directory listing is disabled in the website and web servers. | ||
All HTTP methods except GET and POST are disabled if they are not in use. | ||
Scripts and 3rd party libraries are up-to-date. If external libraries (e.g. for database access, XML parsing) are used, always use the current versions. | ||
Sensitive links which should not be indexed by search engines are listed within robots.txt files. | ||
The execution of scripts is disabled on folders where it is undesirable. | Edit Feature Permissions for the Handler Mappings Feature (IIS 7) |
Xperience:
Check | Description | Details |
All test user accounts are deleted or disabled. | ||
All unnecessary features and applications are disabled. | Disabling unnecessary services and keeping the system up-to-date | |
All unnecessary pages are deleted. | ||
File types that can be uploaded to the system are restricted. You can specify which extensions are allowed for uploaded files in general, including forms in Settings -> System -> Files in the Security category. | ||
UI personalization for specified roles is set correctly to prevent users from accessing unnecessary parts of the interface. You can configure UI personalization in the UI personalization application. | ||
Permissions for specified actions in Xperience modules are set correctly for all roles. You can configure permissions in the Permissions application. | ||
Users are allowed to use only strong and complex passwords. You can enable the Use password policy setting in Settings -> Security & Membership -> Passwords. | ||
Passwords are stored in a strong and secure format. The recommended option is PBKDF2. You can set the password format in Settings -> Security & Membership -> Passwords -> Password format. | ||
The number of allowed invalid sign-in attempts is limited. You can set the limit for the administration interface in Settings -> Security & Membership -> Protection in the Invalid sign-in attempts category. | ||
You have considered if the autocomplete function is needed for sign-in forms. Autocomplete can be enabled for the administration interface in Settings -> Security & Membership -> Protection in the General category. | ||
Forms are secured with CAPTCHA (spam protection control). | ||
Encrypted connection (HTTPS) is configured properly. |