What security features should be present in every web-based CMS?

Question

What are the most important security features that a web-based CMS should offer? What's vital? What would be nice to have? What features should the CMS not attempt to do?

Please note: I'm looking more for specific features that enhance security rather than just the basics like validating input, escaping input and output, XSS protection, SQL injection prevention, not showing errors, etc.

You're confusing two different aspects. To make it clearer, you want to have security features and not secure features. Please note that there is a big difference between secure features (correctly implemented features) and security features (features which should enhance security) — Henri, Nov 14 '10 at 12:42
I wasn't confusing them, but you stated it better than I did. Thank you. — VirtuosiMedia, Nov 14 '10 at 18:07

score 5 · Accepted Answer · edited Mar 17 '17 at 10:46

5

ACL-based security: define what each user can do. MagentoCommerce.com does this well if you want some inspiration.
Draft history / post revisions: so you can rollback if something goes wrong. See WordPress.org.
Rate limiting and velocity checking: i.e. limit how many comments/min. users can post. See... security.stackexchange.com :)
OpenID can arguably increase security, if you trust your OpenID providers can provide better security than you can.

edited Mar 17 '17 at 10:46

Community

1

answered Nov 13 '10 at 20:02

Olivier Lalonde

5,039
8
31
35

+1, excellent reply. Wrt the first point (ACL security) - since most CMS are usually aimed lower-end, I think it would be better to simplify and go for RBAC (Role based access control), but also provide the ACL if required. Also, if this is intended as a business CMS, there should definitely be hooks to ActiveDirectory, SIEM, SMS, etc. – AviD Nov 14 '10 at 02:30
@AviD - Can you clarify the difference between RBAC and ACL? – VirtuosiMedia Nov 14 '10 at 18:18
@VirtuosiMedia, I did better than that - since I thought that would be a great question to seed the beta site with, I went ahead and asked it -http://security.stackexchange.com/questions/346/. That way you get the best of the community, not just my own explanation :) – AviD Nov 14 '10 at 19:44

score 5 · Answer 2 · answered Nov 14 '10 at 14:24

5

If you need to handle users's passwords make sure to not store them in plain text and be sure to salt them first.

answered Nov 14 '10 at 14:24

gbr

2,000
1
16
22

Nev Stokes · Answer 3 · 2010-11-14T12:25:28.547

I know that it's not widely used but I've always thought that it would be a nice feature for a user to be able to upload their PGP public key so that emails generated by the CMS can be encrypted. Kind of related, any generated passwords that are sent via email should be time-limited one-time use only (i.e. the password allows the user to log in for 24 hours and then they have to change their password)

Updated: I was lying awake last night and for some reason this topic popped back into my head. Any login should be HTTP Digest Authentication or a form-based login with client-side HMAC if SSL can't be used. Basic auth and raw password form actions are a no-no!

What security features should be present in every web-based CMS?

3 Answers3