Security Checklist
Introduction
Goal
Reach the highest possible security level in your Bloomreach Experience Manager-based solution.
Background
At Hippo, we take security very seriously. Our products follow the strictest security standards and as such, they have built-in protection against known methods of attack. When implementing a Hippo-based solution any configuration and code specific to the solution should meet the same strict security requirements. This checklist is provided to help you verify that your Hippo-based solution reaches the highest possible security level by following best practices for preventing the 10 most common attack methods as identified by the OWASP Top 10.
Please be aware that the list below is an aid and is not to be considered exhaustive. Some of the items in the OWASP Top 10 are covered at Hippo platform level (marked [✓]), others are up to the individual implementation and should be verified (marked [ ! ]). As a general practice, Hippo advises performing a security audit on all implemented solutions prior to going live.
If you discover a potentially harmful security issue in a Hippo product please do not create a JIRA issue but follow our Security Issues Procedure.
OWASP Top 10
https://www.owasp.org/index.php/Top_10_2013-Top_10
A1 - Injection
Authoring
- [✓] Bloomreach Experience Manager has built-in CRLF Injection prevention at application level.
- [✓] Bloomreach Experience Manager uses a HTML cleaning to filter malicious code from HTML rich text content entered through the CMS.
Delivery
- [ ! ] Verify that all your templates only render filtered/encoded user input (including CMS content) to prevent injection.
- [ ! ] Verify that all user-submitted search parameters are sanatized before using them to query the repository.
- [ ! ] Verify that the application container you are using to run Hippo in prevents CRLF injection. Hippo's default container Tomcat 8 has built-in CRLF injection prevention.
A2 - Broken Authentication and Session Management
Authoring
- [ ! ] Verify that your application container is properly protected against Session Fixation. In the default container Tomcat verify that the session tracking mode is set to COOKIE.
- [ ! ] Disable login form auto-completion (optional).
Delivery
- [ ! ] In case of user authentication verify that your delivery tier implementation uses provided, properly configured authentication mechanisms.
- [ ! ] When using the Relevance Module, verify that the visitor cookie is configured to include the HttpOnly flag (Bloomreach Experience Manager 12.0.1 and newer).
A3 - Cross-Site Scripting (XSS)
Authoring
- [✓] Bloomreach Experience Manager has built-in protection against Cross-Site Scripting (XSS).
Delivery
- [ ! ] Verify that your site web application's web.xml has the XSSUrlFilter configured first in the execution chain.
A4 - Insecure Direct Object References
Authoring
- [✓] Bloomreach Experience Manager requires both authentication and authorization to access any content objects.
Delivery
- [ ! ] Verify that your delivery tier implementation never exposes JCR identifiers (UUIDs) in URLs or otherwise.
A5 - Security Misconfiguration
Authoring
- [ ! ] Verify that password validation and expiration are properly configured.
- [ ! ] Verify that adequate users and groups are created and that they have been granted proper permissions.
- [ ! ] Verify that default users (author, editor, admin) have been deleted or have their passwords changed.
- [ ! ] Verify that audit logging is enabled.
- [ ! ] Verify that access to the Console is restricted to users with administrator privileges.
- [ ! ] Enable CAPTCHA (optional).
- [ ! ] Enable two-factor authentication (optional).
- [ ! ] Enable LDAP authentication (optional).
- [ ! ] Enable SSO integration (optional).
Delivery
- [ ! ] Verify that the delivery tier users are correctly configured and assigned the proper privileges.
A6 - Sensitive Data Exposure
Authoring
- [ ! ] Add the Embargo Plugin (optional).
Delivery
- [ ! ] Verify that the HST allowlist does not list any web files that should not be publicly accessible (e.g. Freemarker templates).
- [ ! ] Verify that HTTPS is used for all authenticated pages.
- [ ! ] Verify that your implementation complies with all applicable privacy and data protection laws and that all personal user data is encrypted.
A7 - Missing Function Level Access Control
Authoring
- [✓] Bloomreach Experience Manager provides publication workflow out-of-the-box.
Delivery
- [ ! ] Verify that all write operations in your delivery tier implementation are done through a Persistable Session obtained from the API, ensuring the proper credentials and privileges.
- [ ! ] Verify that all workflow operation in your delivery tier are done through the ContentNodeBinder interface and WorkflowPersistanceManager service.
A8 - Cross-Site Request Forgery (CSRF)
Authoring
- [✓] Bloomreach Experience Manager prevents CSRF by checking the consistency of the Origin HTTP header for all requests.
Delivery
- [ ! ] Verify that all state-changing links and forms include adequate CSRF protection.
A9 - Using Components with Known Vulnerabilities
Authoring and Delivery
- [ ! ] Verify that your Maven project uses the centrally managed and tested Bloomreach Experience Manager Release POM as parent.
- [ ! ] Verify that your project uses the latest available Bloomreach Experience Manager release.
- [ ! ] Verify that all Maven dependencies in your project are up-to-date and do not include any components with known vulnerabilities.
- [ ! ] Verify that all Javascript libraries used in your project are up-to-date and do not include any components with known vulnerabilities.
A10 - Unvalidated Redirects and Forwards
Authoring
- [ ! ] Verify that only trusted users have sufficient privileges to create, modify or publish URL rewrite rules if the URL Rewriter Plugin is installed.
Delivery
- [ ! ] Verify that no components in your implementation perform any redirects or forwards to a destination based on unverified user-submitted parameters.