Security

Overview

In Sitefinity Cloud the application's security is treated with highest priority. Complex mechanisms for securing your project are available on both application and infrastructure level.

Application security

Sitefinity has an out-of-the-box Web security module that you can use to configure HTTP security headers, redirect, and referrer validation. This way, you protect your Sitefinity CMS sites against attacks.

There are various types of attacks that you can prevent – Cross-site scripting (XSS), clickjacking, code injection, stealing or modifying data in transit (man-in-the-middle), content sniffing. HTTP protocol defines headers that all modern browsers understand and use to protect user or site data. Additionally, built-in redirect and referrer validation mechanisms add further protection against Open Redirect and Cross-site Request Forgery types of attacks.

For more information see Web security module

Infrastructure security

Sitefinity Cloud adds an extra layer of infrastructure security to complement the out-of-the-box security capabilities, provided on a Sitefinity CMS application level. This extra layer of security is implemented utilizing Cloudflare and Microsoft Azure services and components.

Security feature

Description

Dedicated tenant for each customer

Each Sitefinity Cloud customer account is provisioned with a dedicated subscription. This guarantees that your data is contained within your subscription, and no resources are shared between subscriptions.

Access control

Access to any App service, Storage account, SQL database, or Redis cache service is restricted using a firewall whitelist. Users do not have access to any of the Azure services, except for read access to Application Insights and Blob Storage.

User account protection

All Sitefinity Cloud user accounts are protected with Azure AD Multifactor Authentication.

For more information, see How do I setup MFA with Sitefinity Cloud?

Azure Defender cloud workload protection
Azure Defender is Azure Security Center integrated cloud workload protection platform (CWPP). It provides advanced and intelligent protection of Azure resources and workloads. It is, by default, enabled for all Sitefinity Cloud customers. It provides security alerts and advanced threat protection for all the infrastructure components in Azure, used by Sitefinity Cloud platform.

Distributed denial of service (DDoS)

Such attacks represent one of the biggest security concerns for customers and vendors alike. A DDoS attack targets an application’s resources, making the application unavailable to legitimate users. Sitefinity Cloud takes advantage of the automatically enabled DDoS protection for the entire Azure platform. Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defences utilized by Microsoft’s online services.

Network traffic filtering


Security rules that control network traffic to and from the Azure resources that constitute the Sitefinity Cloud environment.

Local address requests

Connection attempts to local addresses, such as localhost127.0.0.1, and the machine's own IP, will fail, except if another process in the same sandbox has created a listening socket on the destination port.

Encryption at rest

Website file content, database backups, and system logs are stored in Azure Storage, which automatically encrypts the content at rest. Index data stored in Azure Search Service is also encrypted at rest.

Database backups and point-in-time restore

The Azure SQL database service protects all databases with an automated backup system. These backups are retained for 35 days by default and the duration can be extended. Point-in-time restore is a capability, allowing to restore a database from these backups to any point within the retention period. Database restore is performed only after explicit request form the customer.

PII obfuscation upon database backup creation

A mechanism is provided for performing on demand backups of staging and production databases. The backups are meant to be used for development and troubleshooting purposes and the personal identifiable information is obfuscated.

Transparent data encryption for databases

Encrypts your databases, backups, and logs at rest, without any changes to your application. 

Advanced Data Security (SQL Servers)

Includes Data Discovery & Classification, Vulnerability Assessment, and Advanced Threat Protection.



SQL database auditing

Helps to maintain regulatory compliance and to gather insights into any database discrepancies and anomalies.

Cloudflare connectivity

In Sitefinity Cloud, Cloudflare is the first entry point for all the client requests to the customer’s web applications. The following security checks are performed before the request is passed to the Azure App Services origin servers:

Connectivity

  • HTTPS 443 traffic only
    If an HTTP request is received, it will be automatically transformed to HTTPS.
  • SSL certificate for every hostname
    Provided by the customer or managed by Sitefinity Cloud
  • Minimum TLS version – 1.2
  • Bot traffic inspection

Firewall whitelisting

  • Staging environment - IPs provided by customers. These are usually public IPs of the customer on-premise networks.
  • Production environment – Cloudflare Access can be used while site is in development to protect it from public preview.

Web application firewall protection

  • OWASP Top 10 ruleset
  • PCI compliant
  • DDoS Protection 

Azure resources connectivity

The connection between the Azure resources for each customer goes through the shared networking in Azure, which means that it does not cross any network boundaries and is encrypted.

The following list provides additional details:

Element Connectivity
Firewall whitelist
Azure App Service
  • Listens on HTTPS port 443 only
  • Allows only the traffic from the Cloudflare CDN endpoints and internal resources
  • SSL certificate uses RSA-SHA256 encryption
  • Minimum TLS version – 1.2

Azure SQL Database

SQL Server always enforces encryption (SSL/TLS) for all connections. This ensures all data is encrypted "in transit" between the client and server

  • IP of the Azure App Service that connects to that DB
  • IP of build machine that executes database backup is temporary added to perform the operation and removed immediately after
Azure Blob Storage
  • HTTP traffic is rejected
  • HTTPS, or SMB with encryption is required to connect to the storage account
IPs provided by customer. These are usually the public IPs of the customer's on-premise networks
Azure Search
  • Listens on HTTPS port 443
  • Client-to-service interactions are SSL/TLS capable
 
Azure Cache for Redis
  • Listens on port 6380
  • Non-SSL access is disabled
  • Minimum TLS version is 1.2

IP of the Azure App Service that connects to that Redis service

Was this article helpful?

Next article

Performance