Securing Liferay

Liferay is built with security in mind. This includes mitigation of common security vulnerabilities and exploits like those described by the OWASP Top 10 and the CWE/SANS Top 25.

There are several aspects of securing a Liferay installation—including, but not limited to, following the best security practices for your hosting environment, database, search provider, application server, and Liferay itself.

Note

Liferay relies on the application server for sanitizing CRLF in HTTP headers. You must ensure this is configured properly on the application server.

Here you’ll learn the basic elements to secure Liferay. This includes configuring how users authenticate to your Liferay installation, authorizing users with permissions, configuring secure access to Liferay web services, and fine-tuning security features on an as-needed basis.

Important

Customers are advised to deploy security patches as they are released. For community and CE installations, we recommend always using the latest community release, which contains all previous security patches.

Authentication

Liferay authentication is flexible. By default, users log into Liferay by using the Sign In widget, which uses the database to authenticate the user. By default, guests can use the Sign In widget to create accounts with default permissions. Nearly every element of the default authentication experience can be changed by an administrator. For example,

To learn more, see Authentication Basics.

Permissions

Liferay has a robust role-based access control (RBAC) system. Users can be assigned to sites, teams, user groups, or organizations. Custom Roles can be created, permissions can be assigned to these roles, and those roles can be assigned to users. Roles are scoped to apply only in a specific context, such as a site, organization, or globally. See Roles and Permissions for more information.

Securing Web Services

Liferay web services have a multi-layered and configurable approach to security and authorization:

See Introduction to Securing Web Services to learn more.

Security Headers not Added by Liferay

Liferay does not add certain security headers in the HTTP request and response.

  • X-XSS-Protection: This header has been deprecated starting from Liferay DXP 7.4 and above. See the recommendations from OWASP and Mozilla.
  • Strict-Transport-Security: You must configure this in your application server and not on Liferay.
  • Cross-origin resource sharing (CORS): Starting from Liferay 7.2 and above, you can set up CORS within Liferay. See Setting up CORS for more information.
  • Public-Key-Pins: You must configure this in your web server.
  • Content-Security-Policy: This is available as a beta feature and appears in the request if configured. See Configuring Content Security Policy Headers for more information.

Fine-Tuning Security

There are many ways to fine-tune or disable additional security features:

  • Configure Liferay’s HTTPS web server address.
  • Configure the list of allowed servers to which users can be redirected.
  • Configure the list of portlets that can be accessed from any page.
  • Configure the file types allowed to be uploaded and downloaded.

These features can be configured using portal properties.

Warning

Liferay’s philosophy is “secure by default.” Please exercise significant caution when modifying security-specific defaults or white-lists. Such actions may lead to security misconfiguration and an insecure deployment.

For more information about securing a Liferay installation, please see our security statement, the community security team, and the resources listed on those pages.

There are additional security plugins available from Liferay Marketplace.

Next Steps

Capabilities

Product

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy