New year, new Umbraco!

Ah, January! A time for making resolutions we secretly know we'll abandon by February and vowing, once again, to use that gym membership we've had since 2018. But here at Effect, we have one resolution that we’re absolutely sticking to: making Umbraco 17 as secure as possible.

Now, before you roll your eyes thinking “Oh great, another complex techie sermon,” let us assure you that this journey into upgrading Umbraco’s security is no yawn-inducing lecture. We’re breaking it down with some real-world analogies—because what’s more relatable than the panic of realising you didn’t update your passwords after your New Year’s cleaning spree?

Enforce MFA: It’s like double-locking the front door

First on our list is ensuring that MFA (Multi-Factor Authentication) is in place. Picture this: You’ve got this ultra-secure steel door, but the key is hanging right next to it on a piece of string. MFA is like taking that key and hiding it inside a maze filled with mischievous kittens (don’t worry, the kittens are algorithm-based, and no kittens were harmed in this analogy). Thankfully, Umbraco now supports 2FA, so hop aboard the security train and enable it, pronto. For the particularly adventurous souls, Umbraco documents it here for you: Umbraco 2FA Guide.

Here at Effect, we embrace everything Azure SSO offers, because what’s better than good security? Good security that syncs smoothly with your existing setup. Check it out: Umbraco.Community.AzureSSO.

Umbraco backoffice domain: becoming a security ninja

Imagine only letting the chosen few into your secret treehouse. Okay, so instead of a treehouse, it’s your Umbraco backoffice domain, but you get the picture. This way, you control who gets access.

Pro tips for extra ninjaness:

IP Whitelisting: Like VIP entry at a club, but for IP addresses.

Geofencing: Keep the backoffice out of bounds for any sketchy locations. Take that, cyber villains!

Domain specific content security policies: Separating domains allows you to tailor security settings effectively. For instance take our website, a backoffice URL like "cms.effect.nz" might have more lenient security measures due to additional layers, such as login requirements or IP whitelisting. In contrast, "effect.nz" enforces a stricter security policy, as it’s open to the broader public. This ensures your front-end remains sleek and safe for everyday users.

Security scanning: The brain scan for your code

At Effect, we scan EVERYTHING. Our routine involves daily scans, similar to checking if the milk has expired, only this can save you from a security meltdown as opposed to a sour breakfast.

Let’s cheat…but in a good way

Remember back in school when a cheat sheet was your secret weapon? Well, it still is, but now it’s for a good, legal, mature adult thing. Reviewing your Umbraco website against the OWASP top 10 .NET cheat sheet is like that cheat sheet: safeguarding you against vulnerabilities like a superhero with a matching cape.

And there you have it! Our guide to securing your Umbraco 17 setup. If you have any questions feel free to reach out to us. Contact Effect to bring your digital projects to life.