セキュリティ

検索バー
セキュリティ に戻る

Liferay DXP Security Configuration Checklist

Configuration Path Security Review Action
Platform → Users No modifications are expected, any modification requires security reviews.
Platform → Template Engines FreeMarker Engine - Review restricted classes, methods, and variables - it is vital to prevent injection attacks with proper restrictions
  Velocity Engine - Review restricted classes, methods, and variables - it is vital to prevent injection attacks with proper restrictions
No other modifications are expected, any modification requires security reviews.
Security → Antivirus Antivirus Clamd Scanner - Configure and enable antivirus for detecting and preventing malicious file uploads
No other modifications are expected, any modification requires security reviews.
Security → API Authentication SYSTEM SCOPE → Basic Auth Header should be disabled or deleted, unless the customer explicitly asks for using HTTP Basic authentication. Can impact WebDAV and curl-based API testing.
  VIRTUAL INSTANCE SCOPE → Basic Authentication Protocol Support same as above, should be disabled unless customer asks for it.
No other modifications are expected, any modification requires security reviews.
Security → Audit

Make sure one of these two options are enabled to ensure that security-relevant events are logged:

  • Persistent Message Audit Message Processor
  • Logging Message Audit Message Processor
  No other modifications are expected, any modification requires security reviews.
Security → LDAP No modifications are expected, any modification requires security reviews.
Security → Multi-Factor Authentication No modifications are expected, any modification requires security reviews.
Security → OAuth 2 No modifications are expected, any modification requires security reviews.
Security → Security Tools CAPTCHA - Recaptcha is recommended, but not required.
  VIRTUAL INSTANCE SCOPE → Portal Cross-Origin Resource Sharing (CORS) - Delete or disable the Default Portal CORS Configuration, unless customer requires the use of CORS, then review the settings to prevent cross-site scripting (XSS)
No other modifications are expected, any modification requires security reviews.
Security → SSO No modifications are expected, any modification requires security reviews.
Content And Data → Workflow No modifications are expected, any modification requires security reviews.

このページで