GITBOOK-72: Security and WAF

Author: gitbook-bot

umbraco-cloud/SUMMARY.md

@@ -2,7 +2,8 @@
 
 * [What is Umbraco Cloud?](README.md)
 * [Frequently asked questions](frequently-asked-questions.md)
-* [Security](security.md)
+* [Security](security/README.md)
+  * [Web Application Firewall](security/web-application-firewall.md)
 * [Sustainability Best Practices](https://docs.umbraco.com/sustainability-best-practices/)
 
 ## Getting Started

umbraco-cloud/frequently-asked-questions.md

@@ -32,7 +32,7 @@ Yes, you can. Umbraco Cloud uses the same Umbraco version that you can download
 
 ### Can I move my existing site to Umbraco Cloud?
 
-Umbraco Cloud is best when used as the base for a new project. There is a specific way of working with Umbraco and Umbraco Cloud in order to take full advantage of the service. That’s not to say you can’t migrate an existing site, only that some changes may be required in order for your site to fully work with Umbraco Cloud. For more information [read our guide to moving an existing site](broken-reference).
+Umbraco Cloud is best when used as the base for a new project. There is a specific way of working with Umbraco and Umbraco Cloud in order to take full advantage of the service. That’s not to say you can’t migrate an existing site, only that some changes may be required in order for your site to fully work with Umbraco Cloud. For more information [read our guide to moving an existing site](broken-reference/).
 
 ### What languages are available for content localization on Umbraco Cloud?
 
@@ -43,7 +43,6 @@ Umbraco Cloud relies on the underlying Azure infrastructure for content localiza
 <summary>Languages Available in Umbraco Cloud</summary>
 
 {% code lineNumbers="true" %}
-
 ```
 Afar
 Afar (Djibouti)
@@ -915,7 +914,6 @@ Yoruba (Nigeria)
 Zarma
 Zarma (Niger)
 ```
-
 {% endcode %}
 
 </details>
@@ -949,7 +947,7 @@ If you have questions about how many resources your site is using, then please r
 
 Yes, you can. Please note that Umbraco Cloud also uses Cloudflare for DNS, so you need to enroll your hostname as 'DNS Only' with a CNAME pointing to `dns.umbraco.io`. Once you can see the hostname is marked with 'Protected' under the Project / Hostname subpage you can turn on 'Proxying' for the hostname in your Cloudflare account if you need to use specific Cloudflare features like Page Rules.
 
-Generally, we recommend that you keep your DNS entry set to 'DNS Only' in your own Cloudflare account. This lets Umbraco Cloud handle the automatic Transport Layer Security (TLS)/HTTPS certificates for the hostnames you point to your Umbraco Cloud project. Check with our support team, via chat or using <[email protected]>, before bringing in your own Cloudflare setup.
+Generally, we recommend that you keep your DNS entry set to 'DNS Only' in your own Cloudflare account. This lets Umbraco Cloud handle the automatic Transport Layer Security (TLS)/HTTPS certificates for the hostnames you point to your Umbraco Cloud project. Check with our support team, via chat or using [[email protected]](mailto:[email protected]), before bringing in your own Cloudflare setup.
 
 ### Does Cloudflare add any additional HTTP request headers?
 
@@ -1040,7 +1038,7 @@ Please contact us using the chat button at the bottom right corner of the [Umbra
 
 ## Security and encryption
 
-Haven't found an answer to your question? Many security-related questions are answered in the [Security section](security.md) of the documentation.
+Haven't found an answer to your question? Many security-related questions are answered in the [Security section](security/) of the documentation.
 
 ### Does Umbraco Cloud support TLS / HTTPS?
 
@@ -1060,7 +1058,7 @@ By default, Umbraco Cloud supports HTTP/2.
 
 No this is not a security risk. This cookie is set by the load balancer (LB) and is only used by the LB to track which server your site is on. ARRAffinity cookie is a built-in feature of Azure App Service and is only useful when your website is being scaled to multiple servers. In Umbraco Cloud, we cannot scale your site to multiple servers so the cookie is effectively unused.
 
-You can learn much more about this in our [Security section](security.md#cookies-and-security).
+You can learn much more about this in our [Security section](security/#cookies-and-security).
 
 ### Can I use wildcard certificates on Umbraco Cloud? How about an EV, DV, or OV certificate?
 
@@ -1074,7 +1072,7 @@ It seems that you didn't set up the bindings for the specific domain where this
 
 Yes. On Cloud, you can add an IP filter of your choosing. There are a few things you need to pay attention to though. Umbraco Deploy will still need to be able to talk to the different environments in your Cloud website and you should still be able to use the site locally.
 
-Learn more about this and how to set it up in our [Security section](security.md#restrict-backoffice-access-using-ip-filtering).
+Learn more about this and how to set it up in our [Security section](security/#restrict-backoffice-access-using-ip-filtering).
 
 ### Does Umbraco Cloud use Transparent Data Encryption (TDE) for databases?
 

umbraco-cloud/security.md renamed to umbraco-cloud/security/README.md

@@ -1,3 +1,9 @@
+---
+description: >-
+  Security has high priority on the Umbraco Cloud platform. Learn more about the
+  different options and features related.
+---
+
 # Security
 
 In this article you can find information about security on Umbraco Cloud.
@@ -8,7 +14,7 @@ All Umbraco Cloud websites use HTTPS by default. Both the default {projectName}.
 
 ### Custom Certificates
 
-Custom certificates can be used with all custom domains. Please refer to our [Managing Custom Certificates documentation](set-up/project-settings/manage-hostnames/security-certificates.md).
+Custom certificates can be used with all custom domains. Please refer to our [Managing Custom Certificates documentation](../set-up/project-settings/manage-hostnames/security-certificates.md).
 
 ### TLS support
 
@@ -18,7 +24,7 @@ TLS 1.2 is now the default supported TLS protocol going forward.
 
 On the Security page for your cloud project, you can change the default settings for both TLS and HTTP.
 
-Learn more about how this in the [Manage Security](set-up/project-settings/manage-security.md) article.
+Learn more about how this in the [Manage Security](../set-up/project-settings/manage-security.md) article.
 
 ### TLS Ciphers support
 
@@ -35,11 +41,11 @@ Umbraco Cloud Websites support the following TLS ciphers in this order:
 
 The different Ciphers can be enabled or disabled on the security project settings page for your Cloud projects.
 
-<figure><img src=".gitbook/assets/image (7) (1) (1).png" alt=""><figcaption><p>Enable or disable TLS Ciphers</p></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (7) (1) (1).png" alt=""><figcaption><p>Enable or disable TLS Ciphers</p></figcaption></figure>
 
 ### HSTS - HTTP Strict Transport Security
 
-It's possible to enforce HSTS: [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP\_Strict\_Transport\_Security) by adding the headers to your website. This grants Umbraco Cloud Websites an A+ security rating on sslabs (March 2020).
+It's possible to enforce HSTS: [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) by adding the headers to your website. This grants Umbraco Cloud Websites an A+ security rating on sslabs (March 2020).
 
 You can add the header by modifying system.webServer/rewrite/outboundRules section in your web.config:
 
@@ -88,7 +94,7 @@ More information specifically from Microsoft about .Net applications and Transpo
 
 ### HTTP
 
-Naked HTTP urls without HTTPS are supported but not used by default on Umbraco Cloud Websites. If you'd like to keep using HTTP, which we strongly discourage, you'll need to remove a web.config transform as specified in [Rewrite rules on Umbraco Cloud](set-up/project-settings/manage-hostnames/rewrites-on-cloud.md#running-your-site-on-https-only)
+Naked HTTP urls without HTTPS are supported but not used by default on Umbraco Cloud Websites. If you'd like to keep using HTTP, which we strongly discourage, you'll need to remove a web.config transform as specified in [Rewrite rules on Umbraco Cloud](../set-up/project-settings/manage-hostnames/rewrites-on-cloud.md#running-your-site-on-https-only)
 
 Umbraco Cloud supports both HTTP2 and HTTP3 protocols.
 
@@ -113,6 +119,10 @@ Basic authentication will not be available for projects running Umbraco 9. It is
 * IP based list allowing access to Frontend & Backoffice
 * IP based list allowing access to website database
 
+### Web Application Firewall
+
+WAF is or can be enabled on the custom hostname(s) you add to your Umbraco Cloud project. [Learn more about how this feature works and helps to secure your websites](web-application-firewall.md).
+
 ## Cookies and security
 
 On Umbraco Cloud sites, you will find an ARRAffinity cookie. This is not sent over HTTPS, and might to some, look like a security risk.

umbraco-cloud/security/web-application-firewall.md

@@ -0,0 +1,47 @@
+---
+description: >-
+  Your Umbraco Cloud website is protected by a Web Application Firewall (WAF) by
+  default. Learn more about the feature and the benefits.
+---
+
+# Web Application Firewall
+
+A Web Application Firewall (WAF) is a security solution designed to protect web applications by filtering and monitoring HTTP traffic between them and the Internet. By acting as a shield between the web application and potential threats, it helps mitigate various common attacks such as cross-site scripting (XSS), SQL injection, and file inclusion.[ ](https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/)
+
+## Umbraco Cloud WAF
+
+Umbraco Cloud uses [Cloudflare’s Managed Rulesets](https://developers.cloudflare.com/waf/managed-rules/) which include pre-configured rules that provide immediate protection against a wide range of threats. These managed rulesets are regularly updated to defend against the latest vulnerabilities and attack techniques. The rulesets include protections against:
+
+* **Zero-day vulnerabilities**: Newly discovered vulnerabilities that have not yet been patched.
+* **Top-10 attack techniques (logging only)**: Common attack methods identified by security organizations like OWASP.
+
+WAF is enabled by default on each custom hostname. It is not available for the internal Cloud hostnames.
+
+## Impact on your website
+
+### **Performance**
+
+A WAF helps maintain optimal performance by blocking malicious traffic before it reaches your web application. This means that your server resources are not wasted on processing harmful requests, which can slow down your website. Additionally, by preventing attacks that could exploit vulnerabilities, WAF helps ensure the website remains available and responsive to legitimate users.
+
+### **Security**
+
+A WAF enhances the security of your web applications by providing a robust defense against different types of attacks. It protects your website from data breaches, defacement, and other security incidents by filtering out malicious traffic. This helps not only safeguard sensitive data but also maintain the trust and confidence of your users.
+
+## Requirements
+
+The custom hostname(s) must be pointing to the Umbraco Cloud entry point  CNAME record pointing to `dns.umbraco.io` or A records.
+
+Learn more about this in the article on [Managing Hostnames](../set-up/project-settings/manage-hostnames/).
+
+{% hint style="warning" %}
+When using **a proxy server** with your Umbraco Cloud project you cannot enable WAF on your custom hostname. 
+{% endhint %}
+
+## Enable WAF on custom hostnames
+
+The following steps outline enabling WAF on your custom hostname(s).
+
+1. Open the Cloud project in the Umbraco Cloud Portal.
+2. Navigate to **Transport Security** under **Security**.
+3. Enable WAF for all future hostnames added to the project.
+4. Enable WAF on your custom hostname(s).