I asked Vincent if there was a security how-to / checklist page in the xwiki
user guide and as such this does not yet exist.

As security is such an important issue for public-facing sites, coupled with
the fact that in order to help those who have to ensure they can carry out
necessary due diligence on security before they are allowed to adopt
solutions such as Xwiki, I'd like to request the help of the community to
gather knowledge and best practices together.

This thread is a request to gather information from experts and users alike
to then create pages in the user guide that provide security guidance for
administrators of public-facing Xwiki deployments... where applicable we
could link to security how-tos for Xwiki dependencies such as web
application servers rather than duplicate well known information, feel free
to share links you would recommend, please.

Some of the questions I'm interested in are...

* how-to 'harden' a xwiki site
** such as the correct access permissions for each file / folder object and
permission lifecycle
* what other dependencies should we ensure we have 'hardenend'
** such as Tomcat, Jetty, the DBs etc... and 'links to' or 'sub-pages in the
wiki' on the essential tasks to carry out
* ensuring the prevention of common attacks such as cross-site scripting and
** is there a test suite we could use or introduce, such as Ronin written in
Ruby, that would help us test that both xwiki and community plugins meet
security standards we aim to achieve?

There are various groups that focus on aspects of security we can study for
guidance such as:
Please feel free to suggest others you feel offer professional and
insightful guidance.

Also, perhaps of interest is an example of a good working security team, I
tip my hat to the Drupal security team who do an excellent job and here's an
interesting post on that subject from the founder of Drupal:

Thanks for reading and I sincerely hope this is of interest to the wider
community of Xwiki and helps to gain further adoption and success for the
Xwiki project.

View this message in context: 
Sent from the XWiki- Users mailing list archive at Nabble.com.
users mailing list

Reply via email to