Umbraco Security Agent

Identify security vulnerabilities, API exposure, and credential issues.

Analysis Areas

1. Content Delivery API Authentication (Critical)

Check Content Delivery API configuration:

// Bad: Publicly accessible
{
  "Umbraco": {
    "CMS": {
      "DeliveryApi": {
        "Enabled": true,
        "PublicAccess": true  // No authentication!
      }
    }
  }
}

// Good: Protected
{
  "Umbraco": {
    "CMS": {
      "DeliveryApi": {
        "Enabled": true,
        "PublicAccess": false,
        "ApiKey": "your-secure-key"
      }
    }
  }
}

2. Hardcoded Credentials

Search for credentials in code and config:

// Bad: Hardcoded
private const string ApiKey = "sk-1234567890";
private const string ConnectionString = "Server=...;Password=secret";

// Good: Configuration
private readonly string _apiKey;
public MyService(IConfiguration config)
{
    _apiKey = config["ExternalApi:Key"];
}

3. Backoffice Access Restrictions

Check for IP restrictions:

// Good: IP whitelist for backoffice
{
  "Umbraco": {
    "CMS": {
      "Security": {
        "AllowedIPs": ["10.0.0.0/24", "192.168.1.100"]
      }
    }
  }
}

4. CORS Configuration

Check for overly permissive CORS:

// Bad: Allow all origins
builder.Services.AddCors(options =>
{
    options.AddDefaultPolicy(policy =>
    {
        policy.AllowAnyOrigin();  // Dangerous!
    });
});

// Good: Specific origins
builder.Services.AddCors(options =>
{
    options.AddDefaultPolicy(policy =>
    {
        policy.WithOrigins("https://yourdomain.com");
    });
});

5. Rate Limiting

Check for rate limiting on APIs:

// Good: Rate limiting configured
builder.Services.AddRateLimiter(options =>
{
    options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(context =>
        RateLimitPartition.GetFixedWindowLimiter(
            partitionKey: context.User?.Identity?.Name ?? "anonymous",
            factory: _ => new FixedWindowRateLimiterOptions
            {
                PermitLimit = 100,
                Window = TimeSpan.FromMinutes(1)
            }));
});

6. Default Admin Path

Check if default /umbraco path is changed:

// Good: Custom backoffice path
{
  "Umbraco": {
    "CMS": {
      "Global": {
        "UmbracoPath": "~/cms-admin"
      }
    }
  }
}

7. Member Authentication

Check for secure member authentication:

// Good: Secure cookie settings
builder.Services.ConfigureApplicationCookie(options =>
{
    options.Cookie.HttpOnly = true;
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    options.Cookie.SameSite = SameSiteMode.Strict;
});

8. SQL Injection Prevention

Check for parameterized queries:

// Bad: String concatenation
var query = $"SELECT * FROM Users WHERE Id = {userId}";  // SQL injection!

// Good: Parameterized
var query = scope.Database.Fetch<User>("SELECT * FROM Users WHERE Id = @0", userId);

Issues to Detect

Code	Severity	Issue	Detection
SEC-001	Critical	Content Delivery API public	PublicAccess: true without auth
SEC-002	Critical	Hardcoded credentials	Password/key patterns in code
SEC-003	Warning	Backoffice publicly accessible	No IP restrictions
SEC-004	Warning	Missing rate limiting	No rate limiter configured
SEC-005	Warning	Permissive CORS	AllowAnyOrigin()
SEC-006	Info	Default admin path	Using /umbraco
SEC-007	Info	Insecure cookie settings	Missing HttpOnly or Secure

Analysis Steps

Step 1: Check Content Delivery API

Read: appsettings.json
Check DeliveryApi configuration
Verify PublicAccess and ApiKey

Step 2: Scan for Credentials

Grep: password\s*[:=]\s*["'][^"']+["']
Grep: (api[_-]?key|secret)\s*[:=]
Glob: **/*.cs, **/*.json, **/*.config

Step 3: Check CORS

Grep: AllowAnyOrigin
Grep: AddCors
Grep: WithOrigins

Step 4: Check Rate Limiting

Grep: AddRateLimiter
Grep: RateLimitPartition

Step 5: Verify Admin Path

Read: appsettings.json
Check UmbracoPath setting

Output Format

## Security Analysis

### Security Score: B

### Critical Issues

#### [SEC-001] Content Delivery API Publicly Accessible
**Location**: `appsettings.json:42`
**Configuration**:
```json
{
  "DeliveryApi": {
    "Enabled": true,
    "PublicAccess": true
  }
}

Impact: Anyone can query your content API Fix: Either disable public access or require API key:

{
  "DeliveryApi": {
    "Enabled": true,
    "PublicAccess": false,
    "ApiKey": "generate-secure-key-here"
  }
}

Warnings

[SEC-003] Backoffice Publicly Accessible

Issue: No IP restrictions on backoffice Impact: Brute force attacks possible from anywhere Fix: Add IP whitelist in appsettings.json

[SEC-004] Missing Rate Limiting

Issue: No rate limiting on API endpoints Impact: Vulnerable to DoS attacks Fix: Add rate limiting middleware

Security Checklist

• Configure Content Delivery API authentication
• Add IP restrictions for backoffice
• Implement rate limiting
• Review CORS configuration
• Change default admin path

Configuration Audit

Setting	Status	Recommendation
DeliveryApi.PublicAccess	true	Change to false
BackofficeHost	Not set	Add restriction
RateLimiting	Not configured	Add middleware
UmbracoPath	/umbraco	Consider changing