Umbraco Cloud
CMSHeartcoreDXPMarketplace
  • What is Umbraco Cloud?
  • Frequently asked questions
  • Security
    • Web Application Firewall
  • Sustainability Best Practices
  • Getting Started
    • Explore Umbraco Cloud
    • The Cloud Portal
      • Organizations
      • Sustainability Dashboard
    • Project Overview
    • Environments
    • Flexible Environments (beta)
    • Baselines
      • Baseline Merge Conflicts
      • Break Reference between Baseline and Child Project
      • Handling configuration files
      • Pushing Upgrades to a Child Project
    • Plans
    • Migrate to Umbraco Cloud
    • Repositories in a Cloud Project
    • Best Practice for Working in Teams
    • Migrate between regions
  • Set up
    • Ready to Set Up Your Project?
    • Working with a Local Clone
      • Legacy Umbraco Visual Studio Setup
    • Manage Environments
    • Project Settings
      • Managing Transport Security
      • CDN Caching and Optimizations
      • Dedicated Resources
      • Upgrade your Plan
      • Public Access
      • Managing Hostnames
        • New Certificate Authority for custom hostnames
        • Rewrite rules
        • Custom Certificates
      • Management API Security
      • Umbraco CI/CD Flow
        • Cloud API For CI/CD Flow
        • Configuring a CI/CD pipeline
          • Azure DevOps
          • GitHub Actions
        • Troubleshooting
        • Known Limitations and Considerations
      • External Services
      • Usage
        • Bandwidth
      • Availability and Performance
      • Team Members
        • Technical Contact
      • Secrets Management
      • Project History
    • Private NuGet Feed on Umbraco Cloud
    • Going Live
    • Media
    • External Login Providers
    • Azure Blob Storage
      • Connect to Azure Storage Explorer to upload files manually
      • Connect and Upload Files Programmatically to Azure Blob Storage
    • Users
    • Multi-Factor Authentication
    • Application Insights
    • Config Transforms
    • SMTP Settings
    • Payments
      • Subscription migration information and FAQ
    • Power Tools (Kudu)
      • View the Files on your Cloud Environments
      • Generate UDA files
      • Manually run Extractions on your Cloud Environments
  • Deployments
    • Deployment
    • Deploying between environments
    • Transferring Content, Media, Members, and Forms
    • Deploying Deletions
    • Deployment Webhook
    • Deploying Changes
    • Umbraco Forms on Cloud
    • Deploy Dashboard
    • Hotfixes
      • Apply hotfix by manually moving files
      • Apply hotfix by using Git
    • Restoring Content
      • Partial Restores
  • Databases
    • Keep Your Data Secure and Accessible
    • Working with databases
    • Database backups
    • Database
      • Connecting to the Database on Mac
    • Working with a Cloud database locally
  • Product Upgrades
    • Stay Up to Date with Umbraco Cloud
    • Product Upgrades
    • Major Upgrades
    • Minor Upgrades
    • Version Specific Upgrades
      • Migrate from Umbraco 8 to the latest version
      • Migrate from Umbraco 7 to Umbraco 8 on Umbraco Cloud
    • Upgrade your projects manually
      • Manual upgrade of Umbraco CMS
      • Manual upgrade of Umbraco Deploy
    • Dependencies on Umbraco Cloud
  • Troubleshooting
    • Resolve Issues Quickly and Efficiently
    • Troubleshooting FAQ
    • Log files
    • The Umbraco Backoffice
    • The Frontend
    • The Umbraco Cloud Portal
    • Site Performance checklist
    • Troubleshooting deployments
      • Extraction error: Config transforms failing
      • Extraction error: Data Type collisions
      • Dependency Exception
      • Merge Conflicts on Flexible Environments
      • Troubleshooting deployments failing with no error message
      • Troubleshooting duplicate dictionary items
      • Troubleshooting language mismatches
      • Path too long Exception
      • Schema Mismatches
      • How to resolve collision errors
      • Extraction error: "Type not found! "
    • Cloud Errors
  • Release Notes
    • Overview 2025
      • April 2025
      • March 2025
      • February 2025
      • January 2025
    • Overview 2024
      • December 2024
      • November 2024
      • October 2024
      • September 2024
      • August 2024
      • July 2024
      • May 2024
      • April 2024
      • March 2024
      • February 2024
      • January 2024
    • Overview 2023
      • December 2023
      • October 2023
      • September 2023
      • August 2023
      • June 2023
      • May 2023
      • April 2023
      • March 2023
      • February 2023
      • January 2023
    • Overview 2022
      • December 2022
      • November 2022
      • September 2022
      • August 2022
      • June 2022
      • May 2022
      • April 2022
      • March 2022
      • February 2022
      • January 2022
Powered by GitBook
On this page
  • HTTPS & Certificates
  • Custom Certificates
  • TLS support
  • TLS Ciphers support
  • HSTS - HTTP Strict Transport Security
  • TLS 1.2 by default in external services
  • HTTP
  • Ports
  • Firewall & Restricting public access to Umbraco Cloud resources
  • Web Application Firewall
  • Cookies and security
  • Deny specific IPs from accessing your website

Was this helpful?

Edit on GitHub
Export as PDF

Security

Security has high priority on the Umbraco Cloud platform. Learn more about the different options and features related.

PreviousFrequently asked questionsNextWeb Application Firewall

Last updated 5 months ago

Was this helpful?

In this article you can find information about security on Umbraco Cloud.

HTTPS & Certificates

All Umbraco Cloud websites use HTTPS by default. Both the default {projectName}.{region}.umbraco.io and custom domains are protected by periodically renewed certificates issued by Cloudflare. This service is offered as part of Umbraco Cloud for all plans.

Custom Certificates

Custom certificates can be used with all custom domains. Please refer to our .

TLS support

As of April 2020, we've deprecated support for TLS 1.0 & TLS 1.1.

TLS 1.2 is now the default supported TLS protocol going forward.

On the Security page for your cloud project, you can change the default settings for both TLS and HTTP.

Learn more about how this in the article.

TLS Ciphers support

Umbraco Cloud Websites support the following TLS ciphers in this order:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

The different Ciphers can be enabled or disabled on the security project settings page for your Cloud projects.

HSTS - HTTP Strict Transport Security

You can add the header by modifying system.webServer/rewrite/outboundRules section in your web.config:

 <outboundRules>
  <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
  <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
  <conditions>
   <add input="{HTTPS}" pattern="on" ignoreCase="true" />
   <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
  </conditions>
  <action type="Rewrite" value="max-age=63072000; includeSubDomains; preload" />
  </rule>
 </outboundRules>

Alternatively this can be done in Startup.cs inside of the ConfigureServices method with the following C#:

public void ConfigureServices(IServiceCollection services)
        {
            services.AddUmbraco(_env, _config)
                .AddBackOffice()
                .AddWebsite()
                .AddComposers()
                .Build();

            services.AddHsts(options =>
            {
                options.MaxAge = TimeSpan.FromDays(730);
                options.IncludeSubDomains = true;
                options.Preload = true;
            });
        }

This adds the "Strict-Transport-Security" header telling browsers how long the browser should not make any HTTP requests to this domain. In this example 63072000 seconds or 730 days is two years.

TLS 1.2 by default in external services

In order to integrate older external applications to access Umbraco Cloud Websites you might have to modify the TLS support in the .Net application.

For ASP.NET applications, inspect the <system.web><httpRuntime targetFramework> element of web.config to find the version of the .NET Framework your application is using. .NET applications on .NET 4.7+ are using the OS specified TLS protocols. In Windows 8 & 10, Windows Server 2012 & 2016 TLS 1.2+ is used by default, therefore no actions necessary. .NET applications lower then 4.7 require updates to ensure they can communicate using TLS 1.2 by default.

HTTP

Umbraco Cloud supports both HTTP2 and HTTP3 protocols.

Ports

By default, all ports are closed to secure them against external attacks. This is done for all ports apart from 80 (HTTP) and 443 (HTTPS).

Firewall & Restricting public access to Umbraco Cloud resources

Umbraco Cloud offers a multitude of features allowing you to block access to different resources.

  • Basic Authentication allows access to the Backoffice & Frontend of Umbraco Cloud Websites for authenticated users only.

Basic authentication will not be available for projects running Umbraco 9. It is available for Umbraco Cloud version 10 (and newer) versions, however, the users are currently unable to exclude IP addresses for authentication using the allowlist feature.

  • IP based list allowing access to Frontend & Backoffice

  • IP based list allowing access to website database

Web Application Firewall

Cookies and security

On Umbraco Cloud sites, you will find an ARRAffinity cookie. This is not sent over HTTPS, and might to some, look like a security risk.

It is not a security risk. This cookie is set by the load balancer (LB) and only used by the LB to track which server your site is on. It is set by the software we use (Azure App Service) and only useful when your website is being scaled to multiple servers. In Umbraco Cloud we cannot scale your site to multiple servers so the cookie is effectively unused.

There is no vulnerable data in this cookie and manipulating or stealing this cookie can not lead to any security issues.

In the future, the cookie will be set to HttpOnly on Umbraco Cloud to conform to best practices. This does not mean that there's anything wrong with the current way it is set.

Deny specific IPs from accessing your website

You can block people and bots(e.g. a malicious scanning bot) from accessing your website by adding their IP addresses to a deny-list.

The following rule can be added to your web.config file in the system.webServer/rewrite/rules/ section.

<rule name="RequestBlockByIP" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*"/>
    <conditions>
    <add input="{HTTP_CF_Connecting_IP}" negate="false" pattern="123.123.123.123"/>
    </conditions>
    <action type="AbortRequest"/>
</rule>

For anyone using the 123.123.123.123 IP, this will result in them getting a 502 error. You can choose your own error.

It's possible to enforce HSTS: by adding the headers to your website. This grants Umbraco Cloud Websites an A+ security rating on sslabs (March 2020).

More information specifically from Microsoft about .Net applications and Transport Layer Security (TLS) support can be found . For other application frameworks/languages we encourage to lookup their respective documentations.

Some scanning tools will report some other ports open due to Cloudflare's default support on those ports. However, all traffic on those ports is managed by Umbraco Cloud and never reaches your project. You can read more about the Cloudflare Network Ports in the .

WAF is or can be enabled on the custom hostname(s) you add to your Umbraco Cloud project. .

For more information see .

Managing Custom Certificates documentation
Manage Security
HTTP Strict Transport Security
in Microsoft's official docs
Cloudflare Documentation
Learn more about how this feature works and helps to secure your websites
the related GitHub issue
Enable or disable TLS Ciphers