Skip to Content
Last modified by Agnease on 2026/06/08 18:44
From version 3.11
edited by Agnease
on 2026/06/08 18:30
Change comment: There is no comment for this version
To version 3.6
edited by Agnease
on 2026/06/08 18:18
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -45,11 +45,6 @@
45 45   </p>
46 46  
47 47   <p>
48 - An XWiki security review is a practical audit of the platform configuration, access model,
49 - authentication setup, installed extensions, custom code, infrastructure and recovery procedures.
50 - </p>
51 -
52 - <p>
53 53   Security risks are often hidden in less visible areas: outdated versions, inherited permissions,
54 54   forgotten administrator accounts, overly powerful rights, old extensions, undocumented scripts,
55 55   weak fallback access or backup assumptions that were never tested.
... ... @@ -127,7 +127,7 @@
127 127   of small exceptions that nobody reviewed later.
128 128   </p>
129 129  
130 - <p>
125 + <p>
131 131   For a deeper look at this topic, see
132 132   <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>.
133 133   For a practical starting point, see
... ... @@ -181,7 +181,7 @@
181 181   A structured review can check versions, access rights, authentication,
182 182   extensions, custom code, infrastructure, backups and operational practices.
183 183   </p>
184 - <a class="btn btn-default" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
179 + <a class="btn btn-secondary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
185 185   </div>
186 186  
187 187   <h2 id="security-checklist">XWiki security review checklist</h2>
... ... @@ -244,87 +244,63 @@
244 244   permissions, extensions, customizations and recovery procedures were configured years earlier.
245 245   </p>
246 246  
247 - <div class="resource-note related-resources">
248 - <p><strong>Security review series:</strong></p>
249 - <ul>
250 - <li>
251 - <a href="$xwiki.getURL('resources.xwiki-security-review')">What an XWiki security review should actually include</a>
252 - </li>
253 - <li>
254 - <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">Why XWiki access rights need a clear governance model</a>
255 - </li>
256 - <li>
257 - <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">How to start an XWiki access-rights review</a>
258 - </li>
259 - </ul>
242 + <div class="resource-note">
260 260   <p>
261 - Future topics will cover authentication and access control, script and programming rights,
262 - backup validation, extension review and operational practices.
244 + <strong>Security review series:</strong>
245 + this article is the main overview. You can also read
246 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>
247 + and
248 + <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">how to start an XWiki access-rights review</a>.
249 + Future topics will cover authentication and access control, script and programming rights, backup validation,
250 + extension review and operational practices.
263 263   </p>
264 264   </div>
265 265  
266 266   <h2 id="security-review-faq">XWiki security review FAQ</h2>
267 267  
268 - <details class="resource-faq-item" open>
269 - <summary>What should an XWiki security review include?</summary>
270 - <p>
271 - An XWiki security review should include the installed XWiki version, upgrade path,
272 - access rights, groups, authentication setup, installed extensions, custom code,
273 - infrastructure, backups, restore expectations and operational procedures.
274 - </p>
275 - </details>
256 + <h3>What should an XWiki security review include?</h3>
257 + <p>
258 + An XWiki security review should include the installed XWiki version, upgrade path,
259 + access rights, groups, authentication setup, installed extensions, custom code,
260 + infrastructure, backups, restore expectations and operational procedures.
261 + </p>
276 276  
277 - <details class="resource-faq-item">
278 - <summary>Is an updated XWiki instance automatically secure?</summary>
279 - <p>
280 - No. Updating XWiki is important, but security also depends on permissions,
281 - authentication, extensions, custom code, infrastructure configuration, backups
282 - and how the instance is maintained.
283 - </p>
284 - </details>
263 + <h3>Is an updated XWiki instance automatically secure?</h3>
264 + <p>
265 + No. Updating XWiki is important, but security also depends on permissions,
266 + authentication, extensions, custom code, infrastructure configuration, backups
267 + and how the instance is maintained.
268 + </p>
285 285  
286 - <details class="resource-faq-item">
287 - <summary>Does SSO solve XWiki access control?</summary>
288 - <p>
289 - No. SSO helps authenticate users, but access control still depends on XWiki groups,
290 - inherited permissions, page-level rights and administrative privileges.
291 - </p>
292 - </details>
270 + <h3>Does SSO solve XWiki access control?</h3>
271 + <p>
272 + No. SSO helps authenticate users, but access control still depends on XWiki groups,
273 + inherited permissions, page-level rights and administrative privileges.
274 + </p>
293 293  
294 - <details class="resource-faq-item">
295 - <summary>Why should custom code be reviewed?</summary>
296 - <p>
297 - Custom scripts, templates, macros, UI extensions and Java components can affect
298 - permissions, workflows, rendering, integrations and upgrade behavior. They should
299 - be identified, documented and tested.
300 - </p>
301 - </details>
276 + <h3>Why should custom code be reviewed?</h3>
277 + <p>
278 + Custom scripts, templates, macros, UI extensions and Java components can affect
279 + permissions, workflows, rendering, integrations and upgrade behavior. They should
280 + be identified, documented and tested.
281 + </p>
302 302  
303 - <details class="resource-faq-item">
304 - <summary>When should an XWiki security review be done?</summary>
283 + <h3>When should an XWiki security review be done?</h3>
284 + <p>
285 + A review is useful before a major upgrade, after years of organic growth, after
286 + authentication changes, before exposing the wiki more broadly, or when the instance
287 + becomes business-critical.
288 + </p>
289 +
290 + <div class="resource-note">
305 305   <p>
306 - A review is useful before a major upgrade, after years of organic growth, after
307 - authentication changes, before exposing the wiki more broadly, or when the instance
308 - becomes business-critical.
292 + Related resources:
293 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>,
294 + <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">how to start an XWiki access-rights review</a>,
295 + <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">why regular XWiki upgrades matter</a>
296 + and
297 + <a href="$xwiki.getURL('resources.xwiki-custom-development')">how to keep XWiki custom development maintainable across upgrades</a>.
309 309   </p>
310 - </details>
311 -
312 - <div class="resource-note related-resources">
313 - <p><strong>Related resources:</strong></p>
314 - <ul>
315 - <li>
316 - <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">Why XWiki access rights need a clear governance model</a>
317 - </li>
318 - <li>
319 - <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">How to start an XWiki access-rights review</a>
320 - </li>
321 - <li>
322 - <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">Why regular XWiki upgrades matter</a>
323 - </li>
324 - <li>
325 - <a href="$xwiki.getURL('resources.xwiki-custom-development')">How to keep XWiki custom development maintainable across upgrades</a>
326 - </li>
327 - </ul>
328 328   </div>
329 329  
330 330   <div class="resource-cta">