Security guidelines

Ensuring the security of both Xperience by Kentico and your projects is crucial for protecting sensitive data, maintaining user trust, and mitigating cyber threats. To uphold high security standards, Kentico is ISO27001 certified and follows the Secure Development Lifecycle (SDL) framework. To help secure your Xperience projects, the product includes a range of built-in security features, including user authentication, role-based access control (RBAC), built-in protection against common vulnerabilities like cross-site scripting (XSS) and SQL injection, and more.

On this page, you can find more information about how we approach security at Kentico and an overview of security features implemented in Xperience.

Secure Development Lifecycle

To meet the high security standards posed on Xperience and minimize vulnerabilities in released features, Kentico integrates security through the Secure Development Lifecycle (SDL) framework. The framework embeds security into all development phases, ensuring timely delivery while maintaining high security standards.

Our engineers receive comprehensive security training, both theoretical and practical, tailored to our industry, solution stack, and the latest security trends. During feature development, designs are validated against industry best practices like OWASP and NIST. Development teams proactively identify potential threats, which are evaluated and addressed in the final implementation of the features. Kentico also enforces internal security baselines and conducts regular security code reviews and scans, both manual and automated. To further strengthen the security of Xperience, the product undergoes external penetration testing.

By integrating security at every stage of development, we make sure that each release of Xperience by Kentico is released with as few security issues as possible.

Vulnerability management and patching

Bug fixing

In real-world development, creating complex software that is completely bug-free is virtually impossible. Though we pay high attention to quality assurance during development, we recognize that some bugs may still make it into the product. That’s why, besides developing new features, we dedicate substantial time to fixing discovered defects and vulnerabilities, and regularly release hotfix updates. You can find all the fixed issues in the product changelog.

Though using a supported release of Xperience gives you full access to Kentico Support and Consulting services, security fixes are incorporated only into the latest release of Xperience by Kentico. Older releases may contain bugs and vulnerabilities that were already fixed in the latest release. For this reason, only the latest release of Xperience by Kentico can be considered truly secure.

Bug bounty program

While our internal security team works hard to identify and mitigate vulnerabilities before they reach the product, we recognize the value of external expertise. That’s why we invite all skilled security researchers and penetration testers to participate in our private bug bounty program.

Security advisories

Security advisories provide detailed information about security vulnerabilities affecting Xperience by Kentico, including the CVSS score or the range of affected product releases. To receive the latest security updates as soon as they are released, subscribe to our Security updates RSS feed.

Live site registration and authentication

When developing your project, it’s up to you to set up and configure how your visitors register and sign in to the system. For more detailed information see the Registration and authentication section of the documentation.

Xperience administration registration and authentication

Authentication

Authentication for the Xperience admin UI needs to be configured separately, as it’s not shared with live site authentication.

You can integrate an external identity provider such as Microsoft Entra ID, Auth0, Okta, Duo, or any other platform that is OAuth/OIDC-compliant to provide a single sign-on (SSO) experience for your users.

Alternatively you can make use of the built-in authentication, which you can further customize to reflect your company’s security policy. For example, you can specify requirements on passwords, provide a list of forbidden passwords, configure account lockout options, or set up rate limiting for user management endpoints.

If your project requires it, you can also offer both the built-in and external authentication options to your users.

User management

To learn more about user-related security features used for both built-in and mixed authentication, see:

• User passwords – information on password policy used in Xperience by Kentico, password storage format and the options for changing and resetting passwords.
• Multi-factor authentication – information on how multi-factor authentication (MFA) is handled in Xperience.
• Account lockout – information on how account lockout works by default in Xperience.

Roles and permissions

Xperience by Kentico utilizes role-based access control (RBAC) to manage user actions within the system. By default, a user has no permissions until they are assigned one or more roles.

There are multiple types of permissions applied within the system: application permissions and data permissions.

Permissions

Application permissions

Application permissions control which roles have access to specific UI applications in Xperience and the actions they are allowed to perform inside them. This commonly includes creating, updating or deleting objects in the corresponding application.

Data permissions

Data permissions control which roles have access to specific sets of data within specific applications and how users can operate with it.

• Page permissions manage access and allowed actions in website channels, specific content tree sections, and individual pages and folders via an access-control list (ACL).
• Workspaces segregate content into distinct, manageable units and allow you to configure which roles have specific application permissions within different workspaces.

Custom permissions

If required by your security policy, you can define custom application permissions for both custom and system UI applications when extending the administration interface.

Common system roles

By default, Xperience provides an Administrator role with full permissions across all features and applications in the product. Initially, the administrator account created during the installation process is the only user with this role.

To prevent misuse of privileges in the system, we strongly recommend defining additional roles with restricted privileges. While your role structure should align with your project’s security requirements, we suggest splitting the privileges into the following semantic roles:

• Administrator – the default system role with full privileges. This role should be assigned only to top-level system administrators.
• User manager – has permissions for the Users and Role management applications. Users in this role should be able to invite and manage users and grant limited permissions to other roles.
• Channel manager – manages a specified channel application. Users in the role act as channel owners – they can configure the channel, manage all its content, and in some cases, manage what other users can do within the channel application (e.g., by configuring page permissions in a website channel).
• Content editor – has access only to content assigned by their manager (e.g., specific pages in a website channel or content items in a specific workspace).

SaaS security

With Kentico’s SaaS offering, server configuration, backups, and infrastructure security, including CDN and WAF, are fully handled by Kentico. To learn more about our SaaS security, see the SaaS overview page. For details on deploying an application to the SaaS environment, see Deploy to the SaaS environment.