<!-- 
RSS generated by JIRA (9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b) at Mon Feb 12 01:06:58 CET 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>Magnolia - Issue tracker</title>
    <link>https://jira.magnolia-cms.com</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-uk</language>    <build-info>
        <version>9.4.2</version>
        <build-number>940002</build-number>
        <build-date>19-01-2023</build-date>
    </build-info>


<item>
            <title>[DOCU-209] Security best practices</title>
                <link>https://jira.magnolia-cms.com/browse/DOCU-209</link>
                <project id="10190" key="DOCU">Documentation</project>
                    <description>&lt;p&gt;Write best practices and tips for Magnolia security. Examples:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Use physically separate permanent storage (databases) for author and public instances&lt;/li&gt;
	&lt;li&gt;Change the default superuser passsword!&lt;/li&gt;
	&lt;li&gt;You will eventually lock superuser out by accident. Fixes:
	&lt;ul&gt;
		&lt;li&gt;If you remember superuser&apos;s password, use &lt;a href=&quot;http://wiki.magnolia-cms.com/display/WIKI/Re-enabling+a+locked-out+account&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Re-enabling a locked-out account&lt;/a&gt;&lt;/li&gt;
		&lt;li&gt;If you don&apos;t remember superuser&apos;s password, use &lt;a href=&quot;http://wiki.magnolia-cms.com/display/WIKI/Reset+superuser+account&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Reset superuser account&lt;/a&gt;&lt;/li&gt;
		&lt;li&gt;If your security configuration is messed up, use &lt;a href=&quot;http://wiki.magnolia-cms.com/display/WIKI/Messed+Up+Security&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Rescue Security Support&lt;/a&gt;. The wiki page title matches content poorly, please edit the page and make it read like a procedure.&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;Create secure, usable passwords. Link to &lt;a href=&quot;http://www.baekdal.com/tips/password-security-usability&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Usability of Passwords&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;Block the AdminCentral URI &lt;tt&gt;/.magnolia&lt;/tt&gt; with Apache  another Web server on a permanent basis for anybody else except users inside the local network. If you have authors outside the local network this is not appropriate.&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="21590">DOCU-209</key>
            <summary>Security best practices</summary>
                <type id="5" iconUrl="https://jira.magnolia-cms.com/secure/viewavatar?size=xsmall&amp;avatarId=10896&amp;avatarType=issuetype">Sub-task</type>
                            <parent id="21420">DOCU-176</parent>
                                    <priority id="2" iconUrl="https://jira.magnolia-cms.com/images/icons/priorities/critical.svg">Critical</priority>
                        <status id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="1">Fixed</resolution>
                                        <assignee username="ruths">Ruth Stocks</assignee>
                                    <reporter username="ahietala">Antti Hietala</reporter>
                        <labels>
                    </labels>
                <created>Fri, 9 Sep 2011 15:08:18 +0200</created>
                <updated>Tue, 29 Jan 2013 15:14:47 +0100</updated>
                            <resolved>Mon, 31 Oct 2011 09:17:47 +0100</resolved>
                                                                    <component>content</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>0</watches>
                                                                                                                <comments>
                            <comment id="39260" author="had" created="Mon, 19 Sep 2011 10:41:39 +0200"  >&lt;p&gt;Already had 3 big customers requesting those guidelines in last 2 weeks.&lt;/p&gt;</comment>
                            <comment id="39829" author="ruths" created="Tue, 11 Oct 2011 12:57:41 +0200"  >&lt;p&gt;Updated pages at:&lt;/p&gt;

&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;&lt;a href=&quot;http://docuauthor.magnolia-cms.com/administration/security/best-practices.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://docuauthor.magnolia-cms.com/administration/security/best-practices.html&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;http://wiki.magnolia-cms.com/display/WIKI/Messed+Up+Security&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://wiki.magnolia-cms.com/display/WIKI/Messed+Up+Security&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="39830" author="ahietala" created="Tue, 11 Oct 2011 14:08:15 +0200"  >&lt;p&gt;Feedback:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Page title is repeated as heading. Drop the heading.&lt;/li&gt;
	&lt;li&gt;Simplify language. In a &lt;a href=&quot;http://wiki.magnolia-cms.com/display/DOCU/Documentation+Style+Guide#DocumentationStyleGuide-Technicalwritingregister&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;technical writing register&lt;/a&gt; ambiguity doesn&apos;t usually help. &quot;&lt;del&gt;As a rule, it is advisable to&lt;/del&gt; store public and author databases in separate physical locations.&quot; It&apos;s OK to be direct and brief as long as you are correct.&lt;/li&gt;
	&lt;li&gt;Explain the &quot;why&quot; if you know. For example, why should author and public databases be on separate physical servers? Ask developers to validate your reasoning, or if you don&apos;t know the reason, ask them to explain. Not obvious to reader either.&lt;/li&gt;
	&lt;li&gt;Fourth bullet is incomplete. &lt;a href=&quot;http://documentation.magnolia-cms.com/cookbook/changing-an-author-instance-into-a-public-instance.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Anonymous access&lt;/a&gt; to &lt;tt&gt;./magnolia&lt;/tt&gt; and &lt;tt&gt;.magnolia/*&lt;/tt&gt; should be blocked with an ACL on both author and public instances in any case. Access for authorized users such as editors should be permitted on author instance. The question is, why should a public Magnolia instance be fronted with Apache. There are &lt;a href=&quot;http://forum.magnolia-cms.com/forum/thread.html?threadId=2d061292-319a-442e-bd25-755f8f13ad2b#29a0330a-3a5d-44ab-b617-efb22f05e9f4&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;many reasons why Apache is not needed&lt;/a&gt; so explain the &lt;a href=&quot;http://forum.magnolia-cms.com/forum/thread.html?threadId=6cc1dc7f-9547-401e-83c0-e467bac06392&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;security reason that trumps them&lt;/a&gt;.&lt;/li&gt;
	&lt;li&gt;Since these are best practices, link from &lt;a href=&quot;http://documentation.magnolia-cms.com/use-cases.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Use cases&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Thanks!&lt;/p&gt;</comment>
                            <comment id="40507" author="ahietala" created="Mon, 31 Oct 2011 09:17:47 +0100"  >&lt;p&gt;Added Zdenek&apos;s feedback on fronting Tomcat with Apache Web Server to &lt;a href=&quot;http://documentation.magnolia-cms.com/administration/security/best-practices.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Security best practices&lt;/a&gt;. Linked from &lt;a href=&quot;http://documentation.magnolia-cms.com/use-cases/security-best-practices.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Use cases&lt;/a&gt;.&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10111" key="com.atlassian.jira.toolkit:reporterdomain">
                        <customfieldname>Company</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>magnolia-cms.com</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10031" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 19 Sep 2011 10:41:39 +0200</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_12730" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_14151" key="com.atlassian.jira.toolkit:message">
                        <customfieldname>Docu info</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10061" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comm is not jira-dev</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>false</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10071" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last participant</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>mmuehlebach</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_13136" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            12 years, 16 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10020" key="com.atlassian.jira.toolkit:attachments">
                        <customfieldname>Number of attachments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10150" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname>Number of comments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>ahietala</customfieldvalue>
            <customfieldvalue>had</customfieldvalue>
            <customfieldvalue>ruths</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10833" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i0086n:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10244" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1362</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_14145" key="com.intenso.jira.issue-templates:issue-templates-customfield">
                        <customfieldname>Template</customfieldname>
                        <customfieldvalues>
                            


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_15131" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Time in Discovery</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>