Health Check Guides

Below is a list of guides for Health Checks in Umbraco.

Cross-site scription protection

Simple Mail Transfer Protocol (SMTP)

Strict transport security header

Loading...

Click-Jacking Protection

Learn how to protect your Umbraco site from clickjacking attacks using X-Frame-Options and security headers.

Checks if your site is allowed to be IFRAMEd by another site and thus would be susceptible to click-jacking.

How to fix this health check

This health check can be fixed by adding a header before the response is started.

Preferable you use a security library like .

Adding Click-Jacking Protection using NWebSec

If you take a NuGet dependency on , you can use third extension methods on IApplicationBuilder.

Adding Click-Jacking Protection using manual middleware

Avoid third-party library dependencies by using custom middleware added to the request pipeline.

Loading...

Content/MIME Sniffing Protection

Protect your Umbraco site from MIME sniffing vulnerabilities using security headers like X-Content-Type-Options.

Checks that your site contains a header used to protect against Multipurpose Internet Mail Extensions (MIME) sniffing vulnerabilities.

How to fix this health check

This health check can be fixed by adding a header before the response is started.

Preferable you use a security library like NWebSec.

Adding Content/MIME Sniffing Protection using NWebSec

If you take a NuGet dependency on NWebsec.AspNetCore.Middleware/, you can use third extension methods on IApplicationBuilder.

public class Startup
{
    public void Configure(IApplicationBuilder app)
    {
        app.UseXContentTypeOptions();

        ...
    }
}

Adding Content/MIME Sniffing Protection using manual middleware

If you don't like to have a dependency on third party libraries. You can add the following custom middleware to the request pipeline.

public class Startup
{
    public void Configure(IApplicationBuilder app)
    {
        app.Use(async (context, next) =>
        {
            context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
            await next();
        });

       ...
    }
}

Loading...

Cross-site scripting Protection (X-XSS-Protection header)

This header enables the Cross-site scripting (XSS) filter in your browser. It checks for the presence of the X-XSS-Protection-header.

How to fix this health check

This health check can be fixed by adding a header before the response is started.

Preferable you use a security library like NWebSec.

Adding Cross-site scripting Protection using NWebSec

If you take a NuGet dependency on NWebsec.AspNetCore.Middleware/, you can use third extension methods on IApplicationBuilder.

public class Startup
{
    public void Configure(IApplicationBuilder app)
    {
        app.UseXXssProtection(options => options.EnabledWithBlockMode());

        ...
    }
}

Adding Cross-site scripting Protection using manual middleware

If you don't like to have a dependency on third party libraries. You can add the following custom middleware to the request pipeline.

public class Startup
{
    public void Configure(IApplicationBuilder app)
    {
        app.Use(async (context, next) =>
        {
            context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");
            await next();
        });

       ...
    }
}

Loading...

Debug Compilation Mode

Disable debug compilation mode in Umbraco to boost performance by updating JSON configuration.

Leaving debug compilation mode enabled can severely slow down a website and take up more memory on the server.

How to fix this health check

This health check can be fixed by providing configuration on the following path: Umbraco:CMS:Hosting:Debug.

This configuration can be setup in a configuration source of your choice. This guide shows how to set it up in one of the JSON file sources.

Updating the JSON configuration

The following JSON needs to be merged into one of your JSON sources. By default the following JSON sources are used: appSettings.json and appSettings.<environment>.json, e.g. appSettings.Development.json or appSettings.Production.json.

One example that can be used for production:

Loading...

Excessive Headers

Checks to see if your site is revealing information in its headers that gives away unnecessary details about the technology used to build and host it.

How to fix this health check

This health check can be fixed by removing headers before the response is started.

Be aware these headers are often added by the server and not by the application.

Unless you publicly expose the Kestrel server (not recommended by Microsoft), you can't handle this directly in middleware.

Removing headers when hosted on IIS

For IIS you will need to manipulate web.config (If you don't have web.config already in your project you will need to add it at the root). Ensure to remove the custom X-Powered-By and Server header as shown in the following example.

The removeServerHeader attribute is added in IIS 10.0 and does not work in versions of Windows prior to Windows Server version 1709 or Windows 10 version 1709.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
</configuration>

Removing headers when hosted on Kestrel

By default Kestrel will only expose the Server header. To disable this, you have to configure Kestrel in Program.cs. You can use the UseKestrel extension method on IWebHostBuilder like in the following example.

public class Program
{
    public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureWebHostDefaults(webBuilder => { webBuilder.UseStartup<Startup>()
                .UseKestrel(x => x.AddServerHeader = false);
            });
}

Loading...

Fixed Application Url

Check to make sure a fixed application URL is specified. This URL is for example used when sending emails from backoffice. If this is not specified in configuration, Umbraco gets the application URL from last host used to request the application

How to fix this health check

This health check can be fixed by providing configuration on the following path: Umbraco:CMS:WebRouting:UmbracoApplicationUrl.

This configuration can be setup in a configuration source of your choice. This guide shows how to set it up in one of the JSON file sources.

Updating the JSON configuration

The following JSON needs to be merged into one of your JSON sources. By default the following JSON sources are used: appSettings.json and appSettings.<environment>.json, e.g. appSettings.Development.json or appSettings.Production.json.

{
    "Umbraco": {
        "CMS": {
            "WebRouting": {
                "UmbracoApplicationUrl": "string"
            }
        }
    }
}

One example that can be used in production

{
    "Umbraco": {
        "CMS": {
            "WebRouting": {
                "UmbracoApplicationUrl": "https://www.my-custom-domain.com/"
            }
        }
    }
}

If the site is hosted on Umbraco Cloud, changing the above configuration will have no effect. The site will always use the URL set in the`umbraco-cloud.json` file, which can not be changed.

Loading...

Folder & File Permissions

Checks that the web server folder and file permissions are set correctly for Umbraco to run.

How to fix this health check

This health check can be fixed by ensuring that the process running Umbraco also has write access to the listed folders and files.

Updating the file permissions on Windows

Here's an example of how to adjust permissions for a folder. This process works the same way for files.

First we see an example of an error from the health check

To fix this, we find the specified folder, from the report and choose Properties and the Security tab.

From here you can edit the permissions for a specific user or user group.

For security reasons we recommend only giving write access to the required users or groups.

Loading...

HTTPS Configuration

Checks if your site is configured to work over HTTPS and if the Umbraco related configuration for that is correct.

How to fix this health check

This health check checks a couple of things.

First of all, it ensures that your website is running on HTTPS using a valid certificate.

Furthermore, it is used to specify the configuration on the following path: Umbraco:CMS:Global:UseHttps.

This configuration can be setup in a configuration source of your choice. This guide shows how to set it up in one of the JSON file sources.

Updating the JSON configuration

The following JSON needs to be merged into one of your JSON sources. By default the following JSON sources are used: appSettings.json and appSettings.<environment>.json, e.g. appSettings.Development.json or appSettings.Production.json.

{
    "Umbraco": {
        "CMS": {
            "Global": {
                "UseHttps": <false,true>
            }
        }
    }
}

One example that can be used:

{
    "Umbraco": {
        "CMS": {
            "Global": {
                "UseHttps": true
            }
        }
    }
}

Loading...

Macro Errors

Checks to make sure macro errors are not set to throw a Yellow Screen Of Death (YSOD). This could prevent certain or all pages from loading.

How to fix this health check

This health check can be fixed by providing configuration on the following path: Umbraco:CMS:Content:MacroErrors.

This configuration can be setup in a configuration source of your choice. This guide shows how to set it up in one of the json file sources.

Updating the json configuration

The following json needs to be merged into one of you json sources. By default the following json sources are used: appSettings.json and appSettings.<environment>.json, e.g. appSettings.Development.json or appSettings.Production.json.

One example that can be used in production, but is not recommended for development:

Loading...

Notification Email Settings

If notifications are used, the 'from' email address should be specified and changed from the default value.

How to fix this health check

This health check can be fixed by providing configuration on the following path: Umbraco:CMS:Content:Notifications:Email.

This configuration can be setup in a configuration source of your choice. This guide shows how to set it up in one of the JSON file sources.

Updating the JSON configuration

The following JSON needs to be merged into one of your JSON sources. By default the following JSON sources are used: appSettings.json and appSettings.<environment>.json, e.g. appSettings.Development.json or appSettings.Production.json.

One example that can be used:

Loading...

SMTP

Checks that valid settings for sending emails are in place.

How to fix this health check

This health check can be fixed by providing configuration on the following path: Umbraco:CMS:Global:Smtp

This configuration can be setup in a configuration source of your choice. This guide shows how to set it up in one of the JSON file sources.

Updating the JSON configuration

The following JSON needs to be merged into one of your JSON sources. By default the following JSON sources are used: appSettings.json and appSettings.<environment>.json, e.g. appSettings.Development.json or appSettings.Production.json.

Loading...

Strict-Transport-Security Header

Checks if your site, when running with HTTPS, contains the Strict-Transport-Security Header (HSTS).

How to fix this health check

This health check can be fixed by adding the Strict-Transport-Security header to responses. The header tells browsers that future requests should be made over HTTPS only.

Enabling HSTS on a domain will cause browsers to only use HTTPS (not HTTP) to communicate with your site. Only enable HSTS on domains that can, and should, use HTTPS exclusively.

Using the UseHsts extension method

ASP.NET Core implements HSTS with the UseHsts extension method.

You can add UseHsts after the env.IsDevelopment() check in Startup.cs.

This example only enables HSTS if the app is not running in development mode. UseHsts isn't recommended in development because the HSTS settings are highly cacheable by browsers.

Loading...