In Sitefinity Cloud, the application's security is treated with highest priority. Complex mechanisms for securing your project are available on both application and infrastructure level.
Sitefinity has an out-of-the-box Web security module that you can use to configure HTTP security headers, redirect, and referrer validation. This way, you protect your Sitefinity CMS sites against attacks.
There are various types of attacks that you can prevent – Cross-site scripting (XSS), clickjacking, code injection, stealing or modifying data in transit (man-in-the-middle), content sniffing. HTTP protocol defines headers that all modern browsers understand and use to protect user or site data. Additionally, built-in redirect and referrer validation mechanisms add further protection against Open Redirect and Cross-site Request Forgery types of attacks.
For more information, see Web security module.
Sitefinity Cloud adds an extra layer of infrastructure security to complement the out-of-the-box security capabilities, provided on a Sitefinity CMS application level. This extra layer of security is implemented utilizing Cloudflare and Microsoft Azure services and components.
Security feature
Single-tenancy
Sitefinity Cloud architecture provides a single-tenant setup for each customer with dedicated infrastructure contained in separate Azure subscription and Azure Active Directory. This guarantees that your data is contained within your subscription and no resources are shared between subscriptions.
Access to any App service, Storage account, SQL database, or Redis cache service is restricted using a firewall whitelist. Users do not have access to any of the Azure services, except for read access to Application Insights, Blob Storage for database backups, and Azure Cognitive Search.
All Sitefinity Cloud user accounts are protected with Azure AD Multifactor Authentication.
For more information, see How do I setup MFA with Sitefinity Cloud?
Distributed denial of service (DDoS)
Such attacks represent one of the biggest security concerns for customers and vendors alike. A DDoS attack targets an application’s resources, making the application unavailable to legitimate users. Sitefinity Cloud takes advantage of the automatically enabled DDoS protection for the entire Azure platform. Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft’s online services. The Cloudflare WAF is the entry point for all application traffic and provides additional DDoS protection (see Cloudflare connectivity section below).
Network traffic filtering
Security rules that control network traffic to and from the Azure resources that constitute the Sitefinity Cloud environment.
Local address requests
Connection attempts to local addresses, such as localhost, 127.0.0.1, and the machine's own IP will fail, except when another process in the same sandbox has created a listening socket on the destination port.
Encryption at rest
Website file content, database backups, and system logs are stored in Azure Storage, which automatically encrypts the content at rest. Index data stored in Azure Cognitive Search is also encrypted at rest.
Database backups and point-in-time restore
The Azure SQL database service protects all databases with an automated backup system. These backups are retained for 35 days by default and the duration can be extended. Point-in-time restore is a capability, allowing to restore a database from these backups to any point within the retention period. Database restore is performed only after explicit request form the customer.
PII obfuscation upon database backup creation
A mechanism is provided for performing on demand backups of staging and production databases. The backups are meant to be used for development and troubleshooting purposes and the personal identifiable information is obfuscated.
Transparent data encryption for databases
Encrypts your databases, backups, and logs at rest, without any changes to your application.
Advanced Data Security (SQL Servers)
Includes Data Discovery & Classification, Vulnerability Assessment, and Advanced Threat Protection.
SQL database auditing
Helps to maintain regulatory compliance and to gather insights into any database discrepancies and anomalies.
In Sitefinity Cloud, Cloudflare is the first entry point for all the client requests to the customer’s web applications. The following security checks are performed before the request is passed to the Azure App Services origin servers:
The Cloudflare web application firewall (WAF) keeps applications and APIs secure and productive, prevents DDoS attacks, keeps bots at bay, detects anomalies and malicious payloads, all while monitoring for browser supply chain attacks.
The connection between the Azure resources for each customer goes through the shared networking in Azure, which means that it does not cross any network boundaries and is encrypted.
The following list provides additional details:
SQL Server always enforces encryption (SSL/TLS) for all connections. This ensures all data is encrypted "in transit" between the client and server
IPs of the Azure App Service that connects to that Redis service
To submit feedback, please update your cookie settings and allow the usage of Functional cookies.
Your feedback about this content is important