This section includes information on Umbraco security, its various security options and configuring how authentication & authorization works in Umbraco

    Umbraco Security overview

    We have a dedicated security page on our main site which provides most of the details you may need to know about security within the Umbraco CMS including how to report a vulnerability:


    We highly encourage the use of HTTPS on Umbraco websites especially in production environments. By using HTTPS you greatly improve the security of your website.

    Don't forget to configure your Umbraco when using HTTPS.

    Backoffice users

    Authentication for backoffice users in Umbraco uses ASP.NET Identity which is a very flexible and extensible framework for authentication.

    Out of the box Umbraco ships with a custom ASP.NET Identity implementation which uses Umbraco's database data. Normally this is fine for most Umbraco developers but in some cases the authentication process needs to be customized. ASP.NET Identity can be extended by using custom OAuth providers which is helpful if you want your users to authenticate with a custom OAuth provider like Azure Active Directory, or even Google accounts. ASP.NET identity is also flexible enough for you to override/replace any part of the process of authentication.

    Custom OAuth providers

    The Umbraco backoffice supports custom OAuth providers for performing authentication of your users. For example: Any OpenIDConnect provider such as Azure Active Directory or Identity Server, Google, Facebook, Microsoft Account, etc...

    To install and configure a custom OAuth provider you should use the Identity Extensions package:

    The installation of these packages will install snippets of code with readme files on how to get up and running. Depending on the provider you've configured and its caption/color, the end result will look similar to:

    OAuth login screen

    Auto-linking accounts for custom OAuth providers

    Traditionally a backoffice user will need to exist first and then that user can link their user account to an OAuth account in the backoffice. In many cases however, the identity server you choose will be the source of truth for all of your users.

    In this case you would want to be able to create user accounts in your identity server and then have that user given access to the backoffice without having to create the user in the backoffice first. This is done via auto-linking.

    Read more about auto linking

    Custom password check

    You are able check the username and password against your own credentials store by implementing a new IBackOfficeUserPasswordChecker.

    Authenticating with Active Directory credentials

    You want to connect the backoffice to Active Directory? Should be pretty straight forward with the ActiveDirectoryBackOfficeUserPasswordChecker.

    Sensitive data on members

    Marking fields as sensitive will hide the data in those fields for backoffice users that have no business viewing personal data of members.

    Setup Umbraco for a FIPS Compliant Server

    How to configure Umbraco to run on a FIPS compliant server.

    Security settings

    Some security settings that can be used in Umbraco.