• Jun 15, 2021
  • 3 MIN
Category Tech
Security Best Practices 656x400
Magnolia Security Best Practices

Magnolia Security Best Practices

Magnolia users frequently ask us about our security best practices. While most of the information is available in our documentation, I’d like to provide a summary of the key things you need to know and top resources to consult.

Access security

  • Create automated tasks in your Magnolia project to ensure basic security configurations are applied.

  • Deactivate the superuser account and change the default password. Create a new account with the superuser role. Use a name that isn’t easy to guess.

  • The OS user that executes the webserver (Tomcat) should have read-only access and should not run commands/scripts on the OS level, preventing the injection of Java code to execute commands on the OS level.

  • On production instances, block access to Magnolia AdminCentral from outside your company network. Use a VPN to access AdminCentral remotely and securely.

  • Non-public instances, such as the Magnolia author instance, and non-production instances should not be accessible via the public internet either.

  • While this is the default, verify that the anonymous role is denied access to Magnolia AdminCentral.

  • When you create interfaces, such as REST endpoints, for your project, set access rights appropriately.

  • If you use custom APIs, do not share user/password combinations. Use tokens provided by an identity provider (IDP), like Azure, Keycloak, or Okta, instead.

  • Enforce secure passwords. Thomas Baeddal’s article ‘The Usability of Passwords’ covers the subject in depth.

  • If you use local user accounts in Magnolia, you can provide a custom field validator to enforce password rules.

  • Consider implementing SSO for non-trivial infrastructures to manage users in a central place.

  • If using SSO and if your IDP supports it, implement a password blacklist.

  • Be careful when creating custom forwards and redirects to other sites.

Data security

  • Implement a backup concept and test it regularly.

  • Keep your Magnolia instances up to date.

  • If your project allows, use separate databases for author and public instances.

  • The repository and all files referenced from Magnolia properties must live outside the web app. You should be able to clean the Magnolia web artifact without losing any data or keys.

External User Management and SSO with Magnolia

Single Sign-On (SSO) allows users to log in to applications using the same credentials for multiple applications, making it easier to manage user accounts across your IT landscape.

Security policies

Security fixes

  • Consult the Magnolia release notes.

  • Follow the Magnolia announcements.

  • Keep your Magnolia instances up to date.

Summary and resources

We recommend you implement these best practices before pushing your project live. In addition, you can review the documentation below for more details:

About the Author

Lars Fischer Professional Services at Magnolia

Lars Fischer works for Magnolia’s Professional Services team and is involved in pre-sales and post-sales consultancy. He supports customers with a wide range of topics including implementations of Magnolia, integrations, and security.

Read more