Configuration Best Practices

Site Setup and CMS Hardening Guide

Attention Developers: Ensure your code is secure. Consult the Security Overview.

Below is a comprehensive checklist for site readiness and security. It combines best practices for CMS security with general pointers. We specialize in CMS, so we advise consulting your web server's best practices for server-specific configurations.

CMS Checklist

1. Download & Installation

   • Download the latest supported version of CMS using official methods at CMS download page.
   • Installation guide is available here.

2. Server & Languages

   • Use the latest PHP version compatible with your CMS version.

3. Site Development & Security

   • Ensure web application security recommendations were adhered to during development. If not, revisit Security Overview.

4. Dashboard Settings

   • Disable development debug output for production: /dashboard/system/environment/debug.
   • Set Canonical URLs to prevent "password reset poisoning".
   • Ensure redirects align with Canonical URL.
   • Set site to only render on TLS/HTTPS.
   • Decide on file accessibility. If private, configure a storage location outside site root.
   • Review password security settings: /dashboard/system/registration/password_requirements.
   • Ensure a strong admin password.
   • Consider IP restrictions for visitors: Configure IP Ban/Allow list.
   • Customize "from" email for form submission confirmations.
   • Assign specific user groups for roles and access control.
   • Adjust Viewing permissions and Edit Access: dashboard/system/permissions/site.
   • Define allowed file types: dashboard/system/files/filetypes.
   • Set Automated Logout Settings: dashboard/system/registration/automated_logout.

5. File Upload

   • Restrict certain file uploads. Guide here.

6. Version & Updates

   • Hide CMS version number in header responses.
   • Follow Composer installation recommendations.

7. Company Systems

   • Add the website and CMS to organization's system list. Ensure role-based access controls.

Points to Ponder

• Integrate Concrete login with organization's SSO. Concrete supports Google SSO by default, oAuth and SAML are available in the marketplace.
• Deactivate users after specific inactive durations or failed login attempts: dashboard/system/registration/deactivation.

Pre-Launch Testing

• Ensure site functionality, especially after CMS version upgrades.
• Conduct load tests.
• Run web application scanners.
• Check for browser console errors.
• Ensure default "from" email is "no-reply@[site domain]".
• Add a favicon.
• Implement tracking codes.
• Verify site responds to both CNAME and A record.

Hosting Independently?

1. General

   • Think about hosting with the Core Concrete CMS Team.
   • Utilize TLS 1.2 or above and redirect HTTP to HTTPS.
   • Configure HSTS.
   • Implement a CDN and optimize caching.
   • Monitor the site using available tools.

2. Web Server Settings (e.g., Nginx)

   • Configure xframe security option.
   • Serve files statically from /application/files.
   • Limit code execution.
   • Disable directory browsing.
   • Set up SMTP for email sending.
   • Implement rate limiting.
   • Set logging preferences: /dashboard/system/mail/logging.

3. Security

   • Store cache outside the accessible directory.
   • Place a Web Application Firewall (WAF).
   • If using CMS version below 9.0.0, set the Cross-Origin-Resource-Policy header. Guide here.
   • Serve uploaded files securely: /application/files/*.

Always prioritize security. Consult expert advice when in doubt.