uSync.Publisher is sending your content and media between Umbraco instances, and as such security and integrity of the messages been sent is paramount.
uSync.Publisher signs all communications with a HMAC authentication key using the AppId and AppKey settings from the
uSync.Publish.Config file. but alongside this you should include some basic security configuration to secure your sites.
While uSync.Publisher doesn't force HTTPS communication between Umbraco instances it is strongly recommended that you do use HTTPs protocols when setting up server addresses.
use AppId/AppKey values¶
When uSync.Publisher first runs it will generate a AppId and AppKey value for the config, it is recommended you then use this value to communicate between servers (making sure all servers have the same config) - Do not use blank or short AppId/AppKey values.
You can if you choose have different AppId/AppKey pairs for each configured server - while this is a slightly more complex configuration it does allow you to have greater control of what can send where.
Secure the Publisher Route¶
All publish/pull requests in uSync publisher go via the
umbraco/uSyncReceive route. this route can be secured in the main
web.config of your site. for example the config below could be used to secure the route by IP address. (the IP Addresses would be of the server not the end-user)
<location path="umbraco/uSyncReceive"> <system.webServer> <security> <ipSecurity allowUnlisted="false"> <add allowed="true" ipAddress="192.168.0.1" subnetMask="255.255.255.0"/> <add allowed="true" ipAddress="127.0.0.1" subnetMask="255.255.255.0"/> </ipSecurity> </security> </system.webServer> </location>