This section includes information on Umbraco security, its different security options and configuring how authentication & authorization works in Umbraco.
We have a dedicated security page on our main site which provides most of the details you may need to know about security within the Umbraco CMS including how to report a vulnerability: https://umbraco.com/products/umbraco-cms/security/
We highly encourage the use of HTTPS on Umbraco websites especially in production environments. By using HTTPS you greatly improve the security of your website.
Don't forget to configure your Umbraco when using HTTPS.
Authentication for backoffice users in Umbraco uses ASP.NET Identity which is a flexible and extendable framework for authentication.
Out of the box Umbraco ships with a custom ASP.NET Identity implementation which uses Umbraco's database data. Normally this is fine for most Umbraco developers, but in some cases the authentication process needs to be customized.
The Umbraco ASP.NET Identity implementation can be extended by using the Umbraco Identity Extensions package. This package installs csharp files with some code snippets on how to customize the ASP.NET Identity implementation. Customization can include extending Umbraco's
UserManager as well as implementing External login providers (OAuth).
The Umbraco backoffice supports external login providers (OAuth) for performing authentication of your users. This could be any OpenIDConnect provider such as Azure Active Directory, Identity Server, Google or Facebook.
In most cases External login providers (OAuth) will meet the needs of most users when needing to authenticate with external resources but in some cases you may need to only change how the username and password credentials are checked.
This is typically a legacy approach to validating credentials with external resources but it is possible.
You are able to check the username and password against your own credentials store by implementing a
If you are using a network-based Azure Directory (not Azure Active Directory), we have set up a guide on how to connect the backoffice to Active Directory. It can be done using the
Umbraco version 7.5.0+ comes with a built-in
IBackOfficeUserPasswordChecker for Active Directory:
Sensitive data on members (Available from Umbraco version 7.9.0)
Marking fields as sensitive will hide the data in those fields for backoffice users that have no business viewing personal data of members.
If you've upgraded from a version before 7.9.0, none of the backoffice users will have access to sensitive data by default.
How to configure Umbraco to run on a FIPS compliant server.
Some security settings that can be used in Umbraco.
Introduction of Custom OAuth providers (Available from Umbraco version 7.3.1)
Starting with Umbraco 7.3.1 Umbraco uses ASP.Net Identity for authentication of backoffice users. Asp.net identity is a flexible and extensible framework for authentication.
Out of the box Umbraco ships with a ASP.Net Identity implementation which uses Umbraco's database data. Normally this is fine for most Umbraco developers but in some cases the authentication process needs to be customized.
For more information on connecting other oauth providers look at the Identity Extensions package.