Security has high priority on the Umbraco Cloud platform. Learn more about the different options and features related.
In this article you can find information about security on Umbraco Cloud.
All Umbraco Cloud websites use HTTPS by default. Both the default {projectName}.{region}.umbraco.io and custom domains are protected by periodically renewed certificates issued by Cloudflare. This service is offered as part of Umbraco Cloud for all plans.
Custom certificates can be used with all custom domains. Please refer to our Managing Custom Certificates documentation.
As of April 2020, we've deprecated support for TLS 1.0 & TLS 1.1.
TLS 1.2 is now the default supported TLS protocol going forward.
On the Security page for your cloud project, you can change the default settings for both TLS and HTTP.
Learn more about how this in the Manage Security article.
Umbraco Cloud Websites support the following TLS ciphers in this order:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
The different Ciphers can be enabled or disabled on the security project settings page for your Cloud projects.
It's possible to enforce HSTS: HTTP Strict Transport Security by adding the headers to your website. This grants Umbraco Cloud Websites an A+ security rating on sslabs (March 2020).
You can add the header by modifying system.webServer/rewrite/outboundRules section in your web.config:
Alternatively this can be done in Startup.cs inside of the ConfigureServices method with the following C#:
This adds the "Strict-Transport-Security" header telling browsers how long the browser should not make any HTTP requests to this domain. In this example 63072000 seconds or 730 days is two years.
In order to integrate older external applications to access Umbraco Cloud Websites you might have to modify the TLS support in the .Net application.
For ASP.NET applications, inspect the <system.web><httpRuntime targetFramework> element of web.config to find the version of the .NET Framework your application is using. .NET applications on .NET 4.7+ are using the OS specified TLS protocols. In Windows 8 & 10, Windows Server 2012 & 2016 TLS 1.2+ is used by default, therefore no actions necessary. .NET applications lower then 4.7 require updates to ensure they can communicate using TLS 1.2 by default.
More information specifically from Microsoft about .Net applications and Transport Layer Security (TLS) support can be found in Microsoft's official docs. For other application frameworks/languages we encourage to lookup their respective documentations.
Umbraco Cloud supports both HTTP2 and HTTP3 protocols.
By default, all ports are closed to secure them against external attacks. This is done for all ports apart from 80 (HTTP) and 443 (HTTPS).
Some scanning tools will report some other ports open due to Cloudflare's default support on those ports. However, all traffic on those ports is managed by Umbraco Cloud and never reaches your project. You can read more about the Cloudflare Network Ports in the Cloudflare Documentation.
Umbraco Cloud offers a multitude of features allowing you to block access to different resources.
Basic Authentication allows access to the Backoffice & Frontend of Umbraco Cloud Websites for authenticated users only.
Basic authentication will not be available for projects running Umbraco 9. It is available for Umbraco Cloud version 10 (and newer) versions, however, the users are currently unable to exclude IP addresses for authentication using the allowlist feature.
IP based list allowing access to Frontend & Backoffice
IP based list allowing access to website database
WAF is or can be enabled on the custom hostname(s) you add to your Umbraco Cloud project. Learn more about how this feature works and helps to secure your websites.
On Umbraco Cloud sites, you will find an ARRAffinity cookie. This is not sent over HTTPS, and might to some, look like a security risk.
It is not a security risk. This cookie is set by the load balancer (LB) and only used by the LB to track which server your site is on. It is set by the software we use (Azure App Service) and only useful when your website is being scaled to multiple servers. In Umbraco Cloud we cannot scale your site to multiple servers so the cookie is effectively unused.
There is no vulnerable data in this cookie and manipulating or stealing this cookie can not lead to any security issues.
In the future, the cookie will be set to HttpOnly on Umbraco Cloud to conform to best practices. This does not mean that there's anything wrong with the current way it is set.
For more information see the related GitHub issue.
You can block people and bots(e.g. a malicious scanning bot) from accessing your website by adding their IP addresses to a deny-list.
The following rule can be added to your web.config file in the system.webServer/rewrite/rules/ section.
For anyone using the 123.123.123.123 IP, this will result in them getting a 502 error. You can choose your own error.
Your Umbraco Cloud website is protected by a Web Application Firewall (WAF) by default. Learn more about the feature and the benefits.
A Web Application Firewall (WAF) is a security solution designed to protect web applications by filtering and monitoring HTTP traffic between them and the Internet. By acting as a shield between the web application and potential threats, it helps mitigate various common attacks such as cross-site scripting (XSS), SQL injection, and file inclusion.
Umbraco Cloud uses Cloudflare’s Managed Rulesets which include pre-configured rules that provide immediate protection against a wide range of threats. These managed rulesets are regularly updated to defend against the latest vulnerabilities and attack techniques. The rulesets include protections against:
Zero-day vulnerabilities: Newly discovered vulnerabilities that have not yet been patched.
Top-10 attack techniques (logging only): Common attack methods identified by security organizations like OWASP.
WAF is enabled by default on each custom hostname. It is not available for the internal Cloud hostnames.
A WAF helps maintain optimal performance by blocking malicious traffic before it reaches your web application. This means that your server resources are not wasted on processing harmful requests, which can slow down your website. Additionally, by preventing attacks that could exploit vulnerabilities, WAF helps ensure the website remains available and responsive to legitimate users.
A WAF enhances the security of your web applications by providing a robust defense against different types of attacks. It protects your website from data breaches, defacement, and other security incidents by filtering out malicious traffic. This helps not only safeguard sensitive data but also maintain the trust and confidence of your users.
The custom hostname(s) must be pointing to the Umbraco Cloud entry point CNAME record pointing to dns.umbraco.io or A records.
Learn more about this in the article on Managing Hostnames.
When using a proxy server with your Umbraco Cloud project you cannot enable WAF on your custom hostname.
The following steps outline enabling WAF on your custom hostname(s).
Open the Cloud project in the Umbraco Cloud Portal.
Navigate to Transport Security under Security.
Enable WAF for all future hostnames added to the project.
Enable WAF on your custom hostname(s).