Tighten Your CMS Security

A small investment early in the deployment phase can go a long way to creating a secure environment.

Fine tuning permissions

Every CMS allows administrators to set permissions for different users or groups and, for the sake of better security, one should check that editors can only do what they are supposed to. It's not a matter of lack of trust; even if we are sure that editors won't do anything wrong, we may not be so sure about the strength of their security measures. A malicious attacker can break in, take control and use editor's privileges; that's why it is essential that he has no access to potentially harmful features, that are not relevant to his everyday work. Typical case in point: someone who's working solely on content should not be able to inject any JavaScript code on the page.

Scrivito manages permissions in a very powerful and sophisticated way; you can refine the privileges individual users have regarding working copies, even prevent particular pages from being published by specific editors. Setting this up is not one of the easiest tasks, but this is an acceptable trade-off for improving security policies, while leaving the editors all the privileges they need to use a product like Scrivito at its best.

Content Security Policy against XSS Attacks

So-called cyber attacks can be very sophisticated, and setting a permission policy may not be enough to stop a break attempt through Cross-Site Scripting (XSS). The attacker can hide malicious code in several places inside the page: from inside the obvious script tag through an unsuspecting HTML comment. Tag and attribute names are places where you should never put untrusted code. Since the malicious code is stored on the same server as the source page, the browser has no means to identify it as dangerous and, generally, it tries to attack a user with higher privileges in order to execute more harmful commands. Once the hacker's code is safely stored on the same server (bypassing the same origin policy control), it has almost free rein to go around unnoticed.

The defence against these attacks is to implement a Content Security Policy (CSP) instead of blindly trusting everything that a server delivers. CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content and instructs the browser to only execute or render resources from those sources. Even if an attacker can find a hole through which to inject a script, the script won’t match the whitelist, and therefore won’t be executed.

In addition to restricting the domains from which content can be loaded, the server can be allowed to use only specific protocols; for example it can specify that all content must be transmitted using HTTPS.

Photo by Mike Wilson on Unsplash

A Couple of Pieces of Wisdom

CMSs are complex systems that manage a large quantity of data and must give users a high degree of editing freedom; their relatively open architecture makes them an interesting target for hackers. Proprietary products are generally considered more secure than open-source ones, where hackers can inspect the public code and easily search for vulnerabilities, but that does not mean that a proprietary CMS has no vulnerabilities and that you can let your guard down. Following these simple but effective rules can help to improve the security of your data.

Update your CMS regularly

Regular maintenance of any CMS is mandatory to keep security at a high level. Most administrators are reluctant to implement updates and patches, because they fear that some plugins they're using may stop working, so they wait for other users’ feedback. But this delay works well on the hackers' side, since they can exploit the holes that have not been patched as people stand by waiting to install an update.

One good point in choosing a cloud hosted CMS is that you don't have to care about updates; they are applied automatically. Scrivito is a SaaS product; "you" as a customer don't update the CMS. This is our responsibility and we’re taking it very seriously. Nonetheless, you should keep the application connecting to the CMS up to date. We regularly provide new versions of the Scrivito SDK, which not only contain new features, but also security updates.

Also you should regularly update any software installed on the servers hosting your application as well as the server software itself. This is what we do for you if you decide on a hosting packages with us.

Be careful with plugins

Most CMSs use plugins to extend their possibilities far beyond what the core offers. Despite the clear advantages this modular approach offers, plugins should be used sparingly since they are the main source of security flaws. Often they are created by a very small team, if not by a single programmer, with not enough resources to evaluate security flaws properly. 

Be careful with Ruby gems as well

What we’ve said above about plugins also applies to Scrivito gems. The Ruby gems are a wonderful way to extend Scrivito’s possibilities and your applications, but they obligate you to apply patches and updates as frequently as possible. Good practice is to check how seriously they are maintained, when the last release was, and if the maintainers promptly react to issues.

And, finally, don't forget to be careful with JavaScript libraries

As you may guess, you can have the same kind of issues with JavaScript libraries as well: they are probably essential to your project but they also can be an excellent vehicle for malicious code.

Delete default logins

There are some typical default usernames, like "admin", that can be easily guessed, thus saving some work for the hacker who attempts a brute-force attack. Replacing them with something not as easy to guess is a wise idea.

Check error messages

Sometimes error messages give out too much information and can inadvertently ease the job of someone trying to do complex attacks like SQL injection. 

Switch to HTTPS

Since Google had announced that adding an SSL certificate to your website actually would give it a ranking boost (and that users are warned if they're browsing a non-secure website), switching to HTTPS has become kind of mandatory for most websites. But, next to the ranking increase benefits, there are lots of valid reasons to switch to HTTPS:

  • Data passing through an HTTPS connection is encrypted: non-secured data can be observed by a third party, while in transit.
  • Even if you don't think you have much sensitive data to be protected by HTTPS, the information stolen can be used to disguise identities while making other illegal attacks.
  • When connecting to a public Wi-Fi access point, the traffic of an unsecured website may be altered so that users can be diverted to a fake website. HTTPS guarantees that a website is actually what it claims to be. In some cases, the certification authority also checks that a particular company controls the domain in question.
Photo by Alessio Lin on Unsplash

Don't Leave the Key under the Doormat

Everybody knows that passwords are the greatest weak spots, but most people without knowledge in security aren't fully aware how insecure their passwords can be and how big the risks actually are. As mentioned above, certain attacks on low-level users can jump even to the admin level, so even just one user with a weak password can put the whole system at risk. Practices like allowing only very long passwords, case sensitive and with special characters, although they may bother users, are just the first unavoidable step towards better security.

For more tech-savvy admins, password encryption offers a good level of security. In the unfortunate event that someone breaks in and steals the passwords, they cannot be decrypted if they are hashed . They are still exposed to a dictionary or brute force attack though: in that case, using salted password makes the cracking computationally very expensive. Salting is a technique that adds random data unique to each user and saves it with their password for the hashing process. The salt completely changes the output of the hash function, rendering the typical cracking method of the rainbow table completely useless.

Even for a system with all security measures properly applied, the weakest part of any security implementation is the human factor. The most sophisticated security technologies are useless if someone writes down his passwords on a post-it attached to their desk, exposed to everybody's eyes. Therefore, one crucial aspect to be considered for better security is to instill a security culture in the whole team, so that everybody contributes to tightening the security of the entire system.

More great blog posts from Alessandro Loverde

  • Image Optimization: A Comprehensive Roundup - pt.1

    In the beginning, the World Wide Web was all about optimization. Standard speed was around 3 kb per second, and hosting space larger than 5 MB was expensive. Then broadband became available for everyone, and web designers grew less and less obsessed with image optimization. Nowadays, younger web...

  • Video Tutorial: Building a React App - pt5: Working with External Data

    In the previous part of this tutorial we explored components: the distinctive React feature. We did no magic because we wanted to focus on the basic structure of components, but now the time has come to explore the advantages of generating code employing external data. Replacing hard-coded with...

  • Five Quick Tips Before You Start Your Next SaaS Project

    There are many web apps around, some good, some bad, some are kind of life-changing while others lay almost forgotten, but making a SaaS app is something definitely bigger; a good programmer and a talented designer are not enough. The concept of Software as a Service looks far ahead and...

  • Strategies for a Multilingual Website

    Having a website just in English may be okay for most businesses. In fact, even if you occasionally need to reach foreign visitors, you can expect that whoever is interested in your services has enough knowledge of English to clearly understand what you are offering. But if you sell something...

  • HTTPS and SEO: How to Cover your Assets and Avoid Common Pitfalls

    Back in 2014, Google started to consider making the use of a secure connection (HTTPS) a parameter in their search algorithm. It began with just a 1% weight over all the other factors, but they pushed it further and further; and now, in 2018, every professional website must be served through a...

  • WordPress and SEO; Costly Missteps to Avoid

    WordPress is often a popular choice for a website builder and it is appreciated by many because it gives the users a lot of freedom regarding tools and plugins. Unfortunately, this approach is not good for your SEO because WordPress does not offer many SEO tools out of the box and, if you don't...

  • Video Tutorial: Building a React App - pt3: Code Components

    In the previous part of this tutorial we have converted an existing HTML page into a React app, but we have not seen much interactivity so far. In this new chapter we start exploring one of the most interesting React features, the components. Let's build something dynamic We are going to create...

  • Rising Stars and Falling Comets in the CSS Universe

    CSS is our friend; the relationship between it and web designers has been a bit turbulent over time, but near the end of the first decade of the new millennium, it settled down with mutual love and respect (in the meantime Internet Explorer has met its fate but nobody mourns the loss, right?)....

  • A Bit of SASS Magic: Automatic Text Color in CSS

    We already talked about SASS and how it can revolutionize your approach to writing CSS. We talked about variables and indenting; powerful features but easy to handle nevertheless. We mentioned that SASS has more advanced functions, and in this article we are going to explore a handy one. The SASS...

  • This Is How We Do It - The TROX Case Study

    TROX understands the art of handling air like no other company. It’s a dynamic firm and, through research and development, TROX became a global leader of innovation in ventilation systems. A business can be efficiently run only with efficient tools and TROX has chosen Scrivito to manage over 70...

  • How to Up Your UX Best Practices for Mobile Apps - pt2

    One central guideline for a designer is to have a clear understanding of the medium, the way users will interact with our design. It can be a television, a computer, a book, or any number of things: design is everywhere. A mobile phone is not just a small computer; it has its own unique features...

  • DOM Filtering with jQuery - What You Need to Know

    We have already given an introduction to the jQuery library, showing how useful it can be for web designers and developers: it simplifies the JavaScript syntax for lots of useful DOM-related tasks and it can dramatically speed up the routines to select DOM elements. Now it’s time to expand your...

  • How to Up Your UX Best Practices for Mobile Apps - pt1

    The concept of mobile apps has greatly evolved: with the first apps, developers tried to replicate the same experience of a desktop but, given the limited resources, the results were pretty different and, in some cases, disappointing. A more modern approach is to create mobile apps that offer the...

  • Video Tutorial: Building a React App - pt2: Installation

    In the first post of this video tutorial series, the basics of React.js were covered. Now it’s time to move a bit forward: we will install React.js and configure it. Eventually, the web page of the standard web application will show up in the browser. The installation process The very first step...

  • Obscure HTML 5 Features That May Make Your Day

    Stumbling into one of those popular, so called “cyber cafès” means that nowadays you will probably find tables occupied by hipster-like web designers, delighting themselves into glorifying the moment when they embraced SASS, React.js, jQuery, Node JS, Ember, Bootstrap, Angular and others. Well...

  • You Asked For It - Scrivito Features & Benefits

    The web is changing at a truly fast pace! New technologies break into the market more rapidly than before. The period of caution and skepticism grows shorter, as the IT world has finally understood the impact of being stuck for too long on technologies which are reliable but outdated. The time to...

  • Getting Sassy with SASS - Your First Steps

    CSS is great and there would be no web without it: if you have been involved enough to remember the state of the web in the late nineties, you will immediately get the point (probably, along with a couple of shivers). Unfortunately, CSS has its limitations and they are not easy ones; that’s why...

  • DOM Traversing with jQuery - What You Need to Know

    The Document Object Model (DOM) is an object-oriented representation of a web page which can be modified with a scripting language, like JavaScript: we can think of the DOM as a representation of an HTML page in a way JavaScript can understand. JQuery is a very popular JavaScript library that...

  • Tips & Guidelines for A Better Mobile UX - pt2

    Mobile websites are not just a trend; they meet the user’s demand for a better and more rational use of their time. If we are already out of the office and need to check if the product we want to buy is effectively in the store we are confidently heading to, it’s nice to be able to check this on...

  • Tips & Guidelines for A Better Mobile UX - pt1

    When the iPhone came out it started the mobile web revolution: for the first time, we could browse web pages on a mobile phone in a decent and usable way. As soon as people had started to do that, the limits of the resizing technology used became evident, accompanied by a high demand for a...

  • Five Quick Tips to Learn JavaScript Faster

    JavaScript has been around quite a while now and we can almost consider it part of the ”old wide web”. But the JavaScript we use now has evolved immensely since its first days. We could better say that what really evolved were the projects that had JavaScript as their core and that made the web...

  • Video Tutorial: Building a React App - pt1: Introduction

    Anybody interested in Javascript development has likely stumbled on MVC frameworks, a term that is pretty much going strong recently and defines a library built according to the “model - view - controller” design pattern. React.js is a Javascript library that acts as the “view” part of an MVC...

  • Traditional, Headless or Decoupled: The New State of CMSs

    Headless CMS is a term that has been on everybody’s lips recently, along with Content as a Service and Decoupled CMS. Actually, these three concepts are very closely related; you can’t talk about any of them without citing the others as well but, for a better insight on the topic, talking about...