Note: This guide describes Kentico CMS version 7. Unfortunately, we cannot support this guide from version 8 forward. Go to latest documentation

Skip to end of metadata
Go to start of metadata

This is a security deployment checklist – things to do before you deploy your site to a live environment.


 The debug mode is turned off to prevent sensitive information leakage.Web.config file settings
 Tracing is disabled to prevent sensitive information leakage.Web.config file settings
 The error messages of web applications and application-server default error messages are not displayed in details to users.Designing secure error messages

Sensitive sections of the web.config file are encrypted (mainly the connection string).

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
 Access to sensitive directories is forbidden to protect the servers against the enumeration attack.Enumeration
 Cookieless authentication is disabled to prevent session hijacking. This can be done by changing the cookieless attribute of the form element.Session protection
 The HttpOnlyCookies flag is set so that the cookies are accessible only from the server-side code (this behavior is set by default in KenticoCMS).Web.config file settings


 Directory listing is disabled in the application and web servers.

Export/import package security


All HTTP methods except GET and POST are disabled if they are not in use.

Securing the Staging and REST web services 
 Scripts and 3rd party libraries are up-to-date. If external libraries (e.g. for database access, XML parsing) are used, always use the current versions. 
 Sensitive links which should not be indexed by search engines are listed within robots.txt files. Managing robots.txt
 The execution of scripts is disabled on folders where it is undesirable.Edit Feature Permissions for the Handler Mappings Feature (IIS 7)

Kentico CMS:

 All test user accounts are deleted or disabled. 
 All unnecessary modules are disabled.Disabling unnecessary modules and services and keeping the system up-to-date
 All unnecessary pages are deleted. 
 File types that can be uploaded to the system are restricted. You can specify which extensions are allowed for uploaded files in general, including forms in Site Manager -> Settings -> System -> Files in the Security group. 
 UI personalization for specified roles is set correctly to prevent users from accessing unnecessary user interface. You can configure UI personalization in Site Manager -> Administration -> UI personalization. UI personalization
 Permissions for specified actions in Kentico CMS modules are set correctly for all roles. You can configure permissions in Site Manager -> Administration -> Permissions.Configuring permissions securely
 Users are allowed to use only strong and complex passwords. You can enable the Use password policy setting in Site Manager -> Settings -> Security & Membership -> Passwords.Password strength policy and its enforcement
 The passwords are stored in a strong and secure format. Recommended option is SHA2 with salt. You can set password format in Site Manager -> Settings -> Security & Membership -> Passwords -> general group.Password encryption in database
 The number of allowed invalid logon attempts is limited. You can set the limit in Site Manager -> Settings -> Security & Membership -> protection in the Invalid logon attempts group.Invalid logon attempts
 You have consider if autocomplete function is needed. Autocomplete can be enabled in Site Manager -> Settings -> Security & Membership -> Protection -> General group.Autocomplete deactivation
 Forms are secured with CAPTCHA (spam protection control).Spam protection (CAPTCHA)
 Encrypted Internet connection (HTTPS) is configured properly.Configuring SSL
  • No labels