Security Checklist
Introduction
Goal
Reach the highest possible security level in your Bloomreach Experience Manager-based solution.
Background
At BloomReach, we take security very seriously. Our products follow the strictest security standards and as such, they have built-in protection against known methods of attack. When implementing a Bloomreach Experience Manager-based solution, any configuration and code specific to the solution should meet the same strict security requirements. This checklist is provided to help you verify that your Bloomreach Experience Manager-based solution reaches the highest possible security level by following best practices for preventing the 10 most common attack methods as identified by theOWASP Top 10.
Please be aware that the list below is an aid and is not to be considered exhaustive. Some of the items in the OWASP Top 10 are covered at Bloomreach Experience Manager platform level (marked [✓]), others are up to the individual implementation and should be verified (marked [ ! ]). As a general practice, BloomReach advises performing a security audit on all implemented solutions prior to going live.
If you discover a potentially harmful security issue in a BloomReach product, please do not create a JIRA issue but follow ourSecurity Issues Procedure.
OWASP Top 10
https://www.owasp.org/index.php/Top_10_2013-Top_10
A1 - Injection
Authoring
- [✓] Bloomreach Experience Manager hasbuilt-in CRLF Injection prevention at application level.
- [✓] Bloomreach Experience Manager uses a HTML cleaning to filter malicious code from HTML rich text content entered through the CMS.
Delivery
- [ ! ] Verify thatall your templates only render filtered/encoded user input (including CMS content) to prevent injection.
- [ ! ] Verify thatall user-submitted search parameters are sanatized before using them to query the repository.
- [ ! ] Verify that the application container you are using to run Hippo in prevents CRLF injection. Hippo's default container Tomcat 8 has built-in CRLF injection prevention.
A2 - Broken Authentication and Session Management
Authoring
- [ ! ] Verify that your application container is properly protected against Session Fixation.In the default container Tomcat verify that the session tracking mode is set to COOKIE.
- [ ! ]Disable login form auto-completion (optional).
Delivery
- [ ! ] In case of user authentication verify that your delivery tier implementation usesprovided, properly configured authentication mechanisms.
- [ ! ] When using the Relevance Module, verify that thevisitor cookie is configured to include the HttpOnly flag (Bloomreach Experience Manager 12.0.1 and newer).
A3 - Cross-Site Scripting (XSS)
Authoring
- [✓] Bloomreach Experience Manager has built-in protection against Cross-Site Scripting (XSS).
Delivery
- [ ! ] Verify that yoursite web application'sweb.xml has the XSSUrlFilter configured first in the execution chain.
A4 - Insecure Direct Object References
Authoring
- [✓] Bloomreach Experience Manager requires bothauthentication and authorization to access any content objects.
Delivery
- [ ! ] Verify that your delivery tier implementation never exposes JCR identifiers (UUIDs) in URLs or otherwise.
A5 - Security Misconfiguration
Authoring
- [ ! ] Verify thatpassword validation and expiration are properly configured.
- [ ! ] Verify that adequateusers and groups are created and that they have been granted proper permissions.
- [ ! ] Verify that default users (author, editor, admin) have been deleted or have their passwords changed.
- [ ! ] Verify thataudit logging is enabled.
- [ ! ] Verify thataccess to the Console is restricted to users with administrator privileges.
- [ ! ] Enabletwo-factor authentication (optional).
- [ ! ] EnableLDAP authentication (optional).
- [ ! ] EnableSSO integration (optional).
Delivery
- [ ! ] Verify that thedelivery tier users are correctly configured and assigned the proper privileges.
A6 - Sensitive Data Exposure
Authoring
- [ ! ] Add theEmbargo Plugin (optional).
Delivery
- [ ! ] Verify that theHST allowlist does not list any web files that should not be publicly accessible (e.g. Freemarker templates).
- [ ! ] Verify thatHTTPS is used for all authenticated pages.
- [ ! ] Verify that your implementation complies with all applicable privacy and data protection laws and that all personal user data is encrypted.
A7 - Missing Function Level Access Control
Authoring
- [✓] Bloomreach Experience Manager providespublication workflow out-of-the-box.
Delivery
- [ ! ] Verify thatall write operations in your delivery tier implementation are done through a Persistable Session obtained from the API, ensuring the proper credentials and privileges.
- [ ! ] Verify thatall workflow operation in your delivery tier are done through the ContentNodeBinder interface and WorkflowPersistanceManager service.
A8 - Cross-Site Request Forgery (CSRF)
Authoring
- [✓] Bloomreach Experience Managerprevents CSRF by checking the consistency of the Origin HTTP header for all requests.
Delivery
- [ ! ] Verify that all state-changing links and forms includeadequate CSRF protection.
A9 - Using Components with Known Vulnerabilities
Authoring and Delivery
- [ ! ] Verify that your Maven project uses the centrally managed and testedBloomreach Experience Manager Release POM as parent.
- [ ! ] Verify that your project uses thelatest available Bloomreach Experience Manager release.
- [ ! ] Verify that all Maven dependencies in your project are up-to-date and do not include any components with known vulnerabilities.
- [ ! ] Verify that all Javascript libraries used in your project are up-to-date and do not include any components with known vulnerabilities.
A10 - Unvalidated Redirects and Forwards
Authoring
- [ ! ] Verify that only trusted users have sufficient privileges to create, modify or publish URL rewrite rules if theURL Rewriter Plugin is installed.
Delivery
- [ ! ] Verify that no components in your implementation perform any redirects or forwards to a destination based on unverified user-submitted parameters.