Configuration Best Practices
Site Setup and CMS Hardening Guide
Attention Developers: Ensure your code is secure. Consult the Security Overview.
Below is a comprehensive checklist for site readiness and security. It combines best practices for CMS security with general pointers. We specialize in CMS, so we advise consulting your web server's best practices for server-specific configurations.
CMS Checklist
Download & Installation
- Download the latest supported version of CMS using official methods at CMS download page.
- Installation guide is available here.
Server & Languages
Site Development & Security
- Ensure web application security recommendations were adhered to during development. If not, revisit Security Overview.
Dashboard Settings
- Disable development debug output for production:
/dashboard/system/environment/debug
. - Set Canonical URLs to prevent "password reset poisoning".
- Ensure redirects align with Canonical URL.
- Set site to only render on TLS/HTTPS.
- Decide on file accessibility. If private, configure a storage location outside site root.
- Review password security settings:
/dashboard/system/registration/password_requirements
. - Ensure a strong admin password.
- Consider IP restrictions for visitors: Configure IP Ban/Allow list.
- Customize "from" email for form submission confirmations.
- Assign specific user groups for roles and access control.
- Adjust Viewing permissions and Edit Access:
dashboard/system/permissions/site
. - Define allowed file types:
dashboard/system/files/filetypes
. - Set Automated Logout Settings:
dashboard/system/registration/automated_logout
.
- Disable development debug output for production:
File Upload
- Restrict certain file uploads. Guide here.
Version & Updates
- Hide CMS version number in header responses.
- Follow Composer installation recommendations.
Company Systems
- Add the website and CMS to organization's system list. Ensure role-based access controls.
Points to Ponder
- Integrate Concrete login with organization's SSO. Concrete supports Google SSO by default, oAuth and SAML are available in the marketplace.
- Deactivate users after specific inactive durations or failed login attempts:
dashboard/system/registration/deactivation
.
Pre-Launch Testing
- Ensure site functionality, especially after CMS version upgrades.
- Conduct load tests.
- Run web application scanners.
- Check for browser console errors.
- Ensure default "from" email is "no-reply@[site domain]".
- Add a favicon.
- Implement tracking codes.
- Verify site responds to both CNAME and A record.
Hosting Independently?
General
- Think about hosting with the Core Concrete CMS Team.
- Utilize TLS 1.2 or above and redirect HTTP to HTTPS.
- Configure HSTS.
- Implement a CDN and optimize caching.
- Monitor the site using available tools.
Web Server Settings (e.g., Nginx)
- Configure xframe security option.
- Serve files statically from
/application/files
. - Limit code execution.
- Disable directory browsing.
- Set up SMTP for email sending.
- Implement rate limiting.
- Set logging preferences:
/dashboard/system/mail/logging
. - If you are running Concrete before 9.3.6 and you want security headers for your cached pages,then you will need to set them manually in ``.htaccess` for Apache or in NGINX config.
Security
- Store cache outside the accessible directory.
- Place a Web Application Firewall (WAF).
- If using CMS version below 9.0.0, set the Cross-Origin-Resource-Policy header. Guide here.
- Serve uploaded files securely:
/application/files/*
.
Always prioritize security. Consult expert advice when in doubt.