Security

Overview

In Sitefinity Cloud the application's security is treated with highest priority. Complex mechanisms for securing your project are available on both application and infrastructure level.

Application security

Sitefinity has an out-of-the-box Web security module that you can use to configure HTTP security headers, redirect, and referrer validation. This way, you protect your Sitefinity CMS sites against attacks.

There are various types of attacks that you can prevent – Cross-site scripting (XSS), clickjacking, code injection, stealing or modifying data in transit (man-in-the-middle), content sniffing. HTTP protocol defines headers that all modern browsers understand and use to protect user or site data. Additionally, built-in redirect and referrer validation mechanisms add further protection against Open Redirect and Cross-site Request Forgery types of attacks.

For more information, see Web security module.

Infrastructure security

Sitefinity Cloud adds an extra layer of infrastructure security to complement the out-of-the-box security capabilities, provided on a Sitefinity CMS application level. This extra layer of security is implemented utilizing Cloudflare and Microsoft Azure services and components.

Security feature

Description

Single-tenancy

Sitefinity Cloud architecture provides a single-tenant setup for each customer with dedicated infrastructure contained in separate Azure subscription and Azure Active Directory. This guarantees that your data is contained within your subscription and no resources are shared between subscriptions.

Access control

Access to any App service, Storage account, SQL database, or Redis cache service is restricted using a firewall whitelist. Users do not have access to any of the Azure services, except for read access to Application Insights, Blob Storage for database backups, and Azure Search Service.

User account protection

All Sitefinity Cloud user accounts are protected with Azure AD Multifactor Authentication.

For more information, see How do I setup MFA with Sitefinity Cloud?

Azure Defender cloud workload protection
Azure Defender for Cloud is an integrated cloud workload protection platform (CWPP). It provides advanced and intelligent protection of Azure resources and workloads. It is, by default, enabled for all Sitefinity Cloud customers. It provides security alerts and advanced threat protection for all the infrastructure components in Azure, used by Sitefinity Cloud platform.

Distributed denial of service (DDoS)

Such attacks represent one of the biggest security concerns for customers and vendors alike. A DDoS attack targets an application’s resources, making the application unavailable to legitimate users. Sitefinity Cloud takes advantage of the automatically enabled DDoS protection for the entire Azure platform. Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft’s online services.
The Cloudflare's WAF is the entry point for all application traffic and provides additional DDoS protection (see Cloudflare connectivity below).

Network traffic filtering


Security rules that control network traffic to and from the Azure resources that constitute the Sitefinity Cloud environment.

Local address requests

Connection attempts to local addresses, such as localhost127.0.0.1, and the machine's own IP, will fail, except if another process in the same sandbox has created a listening socket on the destination port.

Encryption at rest

Website file content, database backups, and system logs are stored in Azure Storage, which automatically encrypts the content at rest. Index data stored in Azure Search Service is also encrypted at rest.

Database backups and point-in-time restore

The Azure SQL database service protects all databases with an automated backup system. These backups are retained for 35 days by default and the duration can be extended. Point-in-time restore is a capability, allowing to restore a database from these backups to any point within the retention period. Database restore is performed only after explicit request form the customer.

PII obfuscation upon database backup creation

A mechanism is provided for performing on demand backups of staging and production databases. The backups are meant to be used for development and troubleshooting purposes and the personal identifiable information is obfuscated.

Transparent data encryption for databases

Encrypts your databases, backups, and logs at rest, without any changes to your application. 

Advanced Data Security (SQL Servers)

Includes Data Discovery & Classification, Vulnerability Assessment, and Advanced Threat Protection.



SQL database auditing

Helps to maintain regulatory compliance and to gather insights into any database discrepancies and anomalies.

Cloudflare connectivity

In Sitefinity Cloud, Cloudflare is the first entry point for all the client requests to the customer’s web applications. The following security checks are performed before the request is passed to the Azure App Services origin servers:

Connectivity

  • HTTPS only
    HTTP traffic is redirected to HTTPS.
  • SSL certificate for every hostname
    Provided by the customer or managed by Sitefinity Cloud
  • Minimum TLS version – 1.2
  • Bot traffic inspection

Firewall whitelisting

  • Staging environment – IPs provided by customers. These are usually public IPs of the customer on-premise networks.
  • Production environment – Site shield can be used while site is in development to protect it from public preview. Site shield can be used for non-Production environments too.

Web application firewall protection

The Cloudflare web application firewall (WAF) keeps applications and APIs secure and productive, prevents DDoS attacks, keeps bots at bay, detects anomalies and malicious payloads, all while monitoring for browser supply chain attacks.

  • DDoS Protection - secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised
  • Layered protections from multiple WAF rulesets - the following rulesets are enabled with highest level of sensitivity:
    • Cloudflare-managed rules
    • OWASP Top 10
  • Updated rules for zero-day protections - continuously updated by Cloudflare's security team for protection against novel attacks and zero-day vulnerabilities before patches or updates are available
  • PCI compliant - Cloudflare possesses Level 1 service provider certification
  • Bot Mitigation - protection against bots with sophisticated layered protections, visibility and challenge options

Azure resources connectivity

The connection between the Azure resources for each customer goes through the shared networking in Azure, which means that it does not cross any network boundaries and is encrypted.

The following list provides additional details:

Element Connectivity
Firewall whitelist
Azure App Service
  • HTTPS only
    HTTP traffic is redirected to HTTPS
  • SSL certificate uses RSA-SHA256 encryption
  • Minimum TLS version is 1.2
  • Allows only the traffic from the Cloudflare CDN endpoints and internal resources
 
  • Cloudflare outbound IPs - IP Ranges
  • IPs of the App Service itself to allow for output cache warmup
  • IP of build machine that performs a deployment is temporary added to perform the operation and removed immediately after

Azure SQL Database

SQL Server always enforces encryption (SSL/TLS) for all connections. This ensures all data is encrypted "in transit" between the client and server

  • IP of the Azure App Service that connects to that DB
  • IP of build machine that executes database backup is temporary added to perform the operation and removed immediately after
Azure Blob Storage
  • HTTP traffic is rejected
  • HTTPS, or SMB with encryption is required to connect to the storage account
  • Minimum TLS version is 1.2
IPs provided by customer. These are usually the public IPs of the customer's on-premise networks
Azure Search
  • Listens on HTTPS port 443
  • Client-to-service interactions are SSL/TLS capable
  • Minimum TLS version is 1.2
 
Azure Cache for Redis
  • Listens on port 6380
  • Non-SSL access is disabled
  • Minimum TLS version is 1.2

IPs of the Azure App Service that connects to that Redis service

Was this article helpful?

Next article

Performance