[xwiki-users] Security best practices for Xwiki deployment and management

Hi, I asked Vincent if there was a security how-to / checklist page in the xwiki user guide and as such this does not yet exist. As security is such an important issue for public-facing sites, coupled with the fact that in order to help those who have to ensure they can carry out necessary due diligence on security before they are allowed to adopt solutions such as Xwiki, I'd like to request the help of the community to gather knowledge and best practices together. This thread is a request to gather information from experts and users alike to then create pages in the user guide that provide security guidance for administrators of public-facing Xwiki deployments... where applicable we could link to security how-tos for Xwiki dependencies such as web application servers rather than duplicate well known information, feel free to share links you would recommend, please. Some of the questions I'm interested in are... * how-to 'harden' a xwiki site ** such as the correct access permissions for each file / folder object and permission lifecycle * what other dependencies should we ensure we have 'hardenend' ** such as Tomcat, Jetty, the DBs etc... and 'links to' or 'sub-pages in the wiki' on the essential tasks to carry out * ensuring the prevention of common attacks such as cross-site scripting and sql-injection ** is there a test suite we could use or introduce, such as Ronin written in Ruby, that would help us test that both xwiki and community plugins meet security standards we aim to achieve? There are various groups that focus on aspects of security we can study for guidance such as: http://www.owasp.org http://www.cloudsecurityalliance.org/guidance/ Please feel free to suggest others you feel offer professional and insightful guidance. Also, perhaps of interest is an example of a good working security team, I tip my hat to the Drupal security team who do an excellent job and here's an interesting post on that subject from the founder of Drupal: http://buytaert.net/drupal-security-team-past-current-and-future Thanks for reading and I sincerely hope this is of interest to the wider community of Xwiki and helps to gain further adoption and success for the Xwiki project. -- View this message in context: http://n2.nabble.com/Security-best-practices-for-Xwiki-deployment-and-manag… Sent from the XWiki- Users mailing list archive at Nabble.com.