uSync and Security¶
uSync publisher is a tool for moving content and settings between Umbraco Installations and as such it does provide an additional attack vector for your Umbraco sites.
We want you to be reassured about the steps we take to ensure uSync.Publisher is secure, and what additional things you can do to harden your Umbraco installations.
Hardening Umbraco & uSync.Publisher¶
There are a number of steps outlined in our uSync.Publisher documentation that detail the steps you can take to make sure your uSync.Publisher installation is secure. these include but are not limited to:
- Ensuring you use Https protocols to encrypt server traffic
- using Unique AppId/AppKey values for each server
- Securing the publishing routes in IIS
If you follow the guidance these steps will both encrypt traffic and limit access to the endpoints within uSync used to push data between servers.
How uSync.Publisher protects your data¶
Firstly none of your content/settings or other site data is sent anywhere other than between your servers. We do collect version numbers for the latest version check, but no personal data is stored
All server communication is signed¶
uSync.Publisher signs all communication between Umbraco instances with an HMAC authentication key, assigned to a specific Application ID. This means uSync can verify the authenticity and data integrity of all messages between servers, so only traffic meant for a specific application instance signed with the correct key will be processed by uSync.
Encryption is recommended¶
Data is not directly encrypted by uSync.Publisher but we strongly recommended you use https for all connections between the Umbraco instances.
Locked down permissions¶
Within Umbraco only users with the correct publish permissions can push or pull content between servers, without these permissions being present users cannot perform the actions required to move content between sites.
How to report a vulnerability¶
If you through your internal use and testing of uSync you come across a vulnerability, we would really like to hear about it.
In order to take care of the vulnerability in the most responsible manner, we ask you to follow the guidelines for how to report a vulnerability.