Topics

Security

Overview

In Sitefinity SaaS, the application's security is treated with highest priority. Mechanisms for securing your project are available on both application and infrastructure level.

Sitefinity has an out-of-the-box Web security module that you can use to configure HTTP security headers, redirect, and referrer validation. This way, you protect your Sitefinity sites against attacks.

There are various types of attacks that you can prevent – Cross-site scripting (XSS), clickjacking, code injection, stealing or modifying data in transit (man-in-the-middle), content sniffing. HTTP protocol defines headers that all modern browsers understand and use to protect user or site data. Additionally, built-in redirect and referrer validation mechanisms add further protection against Open Redirect and Cross-site Request Forgery types of attacks.

For more information, see Web security module.

Infrastructure security

Sitefinity SaaS adds an extra layer of infrastructure security to complement the out-of-the-box security capabilities, provided on application level. This extra layer of security is implemented utilizing Cloudflare and Microsoft Azure services and components.

Security feature	Description
Multi-tenancy	Sitefinity SaaS architecture provides a multi-tenant setup where customers share some of the underlying infrastructure resources. Progress utilizes strong tenant isolation security and control capabilities to maintain segregation. Different services and components for each customer subscription (project) are logically isolated using network policies. For more information, see Architecture.
Access control	Access control policies are implemented for each type of resource used. For more details, see Azure connectivity section below. Customers do not have access to any of the Azure services, except for read access to Application Insights.
User account protection	All Sitefinity SaaS user accounts are protected with Microsoft Entra ID (formerly, Azure AD) Multi-factor Authentication.
Azure Defender cloud workload protection	Azure Defender for Cloud is an integrated cloud workload protection platform (CWPP). It provides advanced and intelligent protection of Azure resources and workloads. It is, by default, enabled for all Sitefinity SaaS customers. It provides security alerts and advanced threat protection for all the infrastructure components in Azure, used by Sitefinity SaaS platform.
Distributed denial of service (DDoS)	Such attacks represent one of the biggest security concerns for customers and vendors alike. A DDoS attack targets an application’s resources, making the application unavailable to legitimate users. Sitefinity SaaS takes advantage of the automatically enabled DDoS protection for the entire Azure platform. Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft’s online services. The Cloudflare WAF is the entry point for all application traffic and provides additional DDoS protection (see Cloudflare connectivity section below).
Network traffic filtering	Security rules that control network traffic to and from the Azure resources that constitute the Sitefinity SaaS setup for a given project/tenant.
Encryption at rest	Website file content, database backups, and system logs are stored in Azure Storage, which automatically encrypts the content at rest.
Database backups and point-in-time restore	The Azure SQL database service protects all databases with an automated backup system. These backups are retained for 35 days by default. Point-in-time restore is a capability, allowing to restore a database from these backups to any minute within the retention period. Database restore is performed only after an explicit request from the customer.
Transparent data encryption for databases	Encrypts your databases, backups, and logs at rest, without any changes to your application.
Advanced Data Security (SQL Servers)	Includes Data Discovery & Classification, Vulnerability Assessment, and Advanced Threat Protection.
SQL database auditing	Helps to maintain regulatory compliance and to gather insights into any database discrepancies and anomalies.

Cloudflare connectivity

In Sitefinity SaaS, Cloudflare is the entry point for all the client requests to the customer’s web applications. The following security checks are performed before the request is passed to the Azure Kubernetes Service (AKS) origin servers:

Connectivity

HTTPS only
HTTP traffic is redirected to HTTPS.
SSL certificate for every hostname
Provided by the customer or managed by Sitefinity SaaS
Minimum TLS version – 1.2
Bot traffic inspection

Firewall whitelisting

Access to any environment can be restricted based on an IP whitelist provided by the customer.

Web application firewall protection

The Cloudflare web application firewall (WAF) keeps applications and APIs secure and productive, prevents DDoS attacks, keeps bots at bay, detects anomalies and malicious payloads, all while monitoring for browser supply chain attacks.

DDoS Protection - secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised
Layered protections from multiple WAF rulesets - the following rulesets are enabled with highest level of sensitivity:
- Cloudflare-managed rules
- OWASP Top 10
Updated rules for zero-day protections - continuously updated by Cloudflare's security team for protection against novel attacks and zero-day vulnerabilities before patches or updates are available
PCI compliant - Cloudflare possesses Level 1 service provider certification
Bot Mitigation - protection against bots with sophisticated layered protections, visibility and challenge options

Azure connectivity

The following table provides the Azure connectivity details.

Element	Connectivity	Access control
Azure Kubernetes Service (AKS)	Traffic is served through Cloudflare Tunnel	Cloudflare Tunnel provides a secure way to connect resources to Cloudflare without a publicly routable IP address. Traffic is not sent to an external IP - instead, a lightweight daemon (Cloudflared) runs in a container in AKS and creates outbound-only connections to Cloudflare’s global network. This way, the origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.
Azure SQL Database	SQL Server always enforces encryption (SSL/TLS) for all connections. This ensures all data is encrypted "in transit" between the client and server	Virtual Network rule that accepts traffic only from the AKS subnet. Unique SQL login credentials are generated for each client for each database with predefined database-level roles. This way, each client can only access its own databases, without the risk of compromising other SQL databases in Azure SQL Server.
Azure Cache for Redis	Listens on port 6380 Non-SSL access is disabled Minimum TLS version is 1.2	Virtual Network integration with AKS.
Azure Files	HTTPS only Minimum TLS version is 1.2 Minimum SMB 3.x protocol	Virtual Network integration with AKS Each customer has a separate Azure Files service per environment and connectivity is limited to their Azure Files only.

Was this article helpful?

Yes No

Would you like to submit additional feedback?

Your feedback about this content is important

How helpful is this article?

Very helpful Somewhat helpful Not helpful

How can we improve this article?(Optional)

Fix typos or links

Fix incorrect information

Add or update code samples

Add or update illustrations

Add information about...

Send feedback Cancel

Performance