Umbraco provides a robust set of security features out of the box, designed to keep your content, data, and users safe through modern protocols, best practices, and ongoing updates.​

Out-of-the-Box Security Features

• Custom ASP.NET Core Identity Integration
  Umbraco leverages a custom implementation of ASP.NET Core Identity, ensuring secure user authentication and authorization, as well as secure storage of credentials.​
• Hashed and Encrypted Passwords
  User and member passwords are securely hashed and encrypted, protecting credentials in the database and reducing the risk from data breaches.​
• Two-Factor Authentication (2FA) Support
  Umbraco supports two-factor authentication, which can be enabled to provide an extra layer of login security for back office users.​
• Role-Based Access Control
  Fine-grained permissions can be assigned to users and groups, supporting the principle of least privilege and restricting access to sensitive functionality.​
• Secure Cookie Handling
  Cookies used for authentication are securely managed and protected to prevent session hijacking.​
• Anti-CSRF Protection
  Built-in protection against Cross-Site Request Forgery (CSRF) attacks helps prevent unauthorized actions from malicious sites.​
• Default Backoffice Timeout
  Users are automatically logged out of the Umbraco back office after a defined period of inactivity, reducing the risk of unauthorized access.​
• Health Checks and Security Audits
  Umbraco provides built-in security health checks for recommended configuration settings, expired passwords, or outdated packages, allowing administrators to audit and harden their sites easily.​
• HTTPS and SSL Support
  Native support for HTTPS/SSL ensures encrypted data transmission and easy setup of SSL certificates, especially on Umbraco Cloud.​
• Automated Security Updates (Umbraco Cloud)
  For cloud-hosted projects, security updates are automatically applied to minimize vulnerability windows.​

Additional Security Practices

• Regular Penetration Testing
  Umbraco undergoes regular third-party security testing, with patches and fixes promptly released for any discovered vulnerabilities.​
• Extensible with Security Packages
  The platform supports further hardening through third-party packages vetted by the Umbraco community, and it provides guidance on secure plugin use.​

Umbraco’s security model, based on modern .NET standards and best practices, makes it a solid choice for organizations seeking a secure and manageable CMS foundation.