Security

uSync.Publisher is sending your content and media between Umbraco instances, and as such security and integrity of the messages been sent is paramount.

uSync.Publisher signs all communications with a HMAC authentication key using the AppId and AppKey settings from the uSync.Publish.Config file. but alongside this you should include some basic security configuration to secure your sites.

use Https

While uSync.Publisher doesn't force HTTPS communication between Umbraco instances it is strongly recommended that you do use HTTPs protocols when setting up server addresses.

use AppId/AppKey values

When uSync.Publisher first runs it will generate a AppId and AppKey value for the config, it is recommended you then use this value to communicate between servers (making sure all servers have the same config) - Do not use blank or short AppId/AppKey values.

You can if you choose have different AppId/AppKey pairs for each configured server - while this is a slightly more complex configuration it does allow you to have greater control of what can send where.

Secure the Publisher Route

All publish/pull requests in uSync publisher go via the umbraco/uSyncReceive route. this route can be secured in the main web.config of your site. for example the config below could be used to secure the route by IP address. (the IP Addresses would be of the server not the end-user)

<location path="umbraco/uSyncReceive">
 <system.webServer>
  <security>
   <ipSecurity allowUnlisted="false">
    <add allowed="true" ipAddress="192.168.0.1"  subnetMask="255.255.255.0"/>
    <add allowed="true" ipAddress="127.0.0.1" subnetMask="255.255.255.0"/>
   </ipSecurity>
  </security>
 </system.webServer>
</location>