Skip to Content
Last modified by Agnease on 2026/06/08 18:44
From version 3.4
edited by Agnease
on 2026/06/02 11:06
Change comment: There is no comment for this version
To version 3.11
edited by Agnease
on 2026/06/08 18:30
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -45,6 +45,11 @@
45 45   </p>
46 46  
47 47   <p>
48 + An XWiki security review is a practical audit of the platform configuration, access model,
49 + authentication setup, installed extensions, custom code, infrastructure and recovery procedures.
50 + </p>
51 +
52 + <p>
48 48   Security risks are often hidden in less visible areas: outdated versions, inherited permissions,
49 49   forgotten administrator accounts, overly powerful rights, old extensions, undocumented scripts,
50 50   weak fallback access or backup assumptions that were never tested.
... ... @@ -123,7 +123,10 @@
123 123   </p>
124 124  
125 125   <p>
126 - For a deeper look at this topic, see <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>.
131 + For a deeper look at this topic, see
132 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>.
133 + For a practical starting point, see
134 + <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">how to start an XWiki access-rights review</a>.
127 127   </p>
128 128  
129 129   <h3>3. Authentication and identity management</h3>
... ... @@ -173,7 +173,7 @@
173 173   A structured review can check versions, access rights, authentication,
174 174   extensions, custom code, infrastructure, backups and operational practices.
175 175   </p>
176 - <a class="btn btn-secondary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
184 + <a class="btn btn-default" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
177 177   </div>
178 178  
179 179   <h2 id="security-checklist">XWiki security review checklist</h2>
... ... @@ -236,60 +236,87 @@
236 236   permissions, extensions, customizations and recovery procedures were configured years earlier.
237 237   </p>
238 238  
239 - <div class="resource-note">
247 + <div class="resource-note related-resources">
248 + <p><strong>Security review series:</strong></p>
249 + <ul>
250 + <li>
251 + <a href="$xwiki.getURL('resources.xwiki-security-review')">What an XWiki security review should actually include</a>
252 + </li>
253 + <li>
254 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">Why XWiki access rights need a clear governance model</a>
255 + </li>
256 + <li>
257 + <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">How to start an XWiki access-rights review</a>
258 + </li>
259 + </ul>
240 240   <p>
241 - <strong>Security review series:</strong>
242 - this article is the main overview. You can also read
243 - <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>.
244 - Future topics will cover authentication and access control, script and programming rights, backup validation,
245 - extension review and operational practices.
261 + Future topics will cover authentication and access control, script and programming rights,
262 + backup validation, extension review and operational practices.
246 246   </p>
247 247   </div>
248 248  
249 249   <h2 id="security-review-faq">XWiki security review FAQ</h2>
250 250  
251 - <h3>What should an XWiki security review include?</h3>
252 - <p>
253 - An XWiki security review should include the installed XWiki version, upgrade path,
254 - access rights, groups, authentication setup, installed extensions, custom code,
255 - infrastructure, backups, restore expectations and operational procedures.
256 - </p>
268 + <details class="resource-faq-item" open>
269 + <summary>What should an XWiki security review include?</summary>
270 + <p>
271 + An XWiki security review should include the installed XWiki version, upgrade path,
272 + access rights, groups, authentication setup, installed extensions, custom code,
273 + infrastructure, backups, restore expectations and operational procedures.
274 + </p>
275 + </details>
257 257  
258 - <h3>Is an updated XWiki instance automatically secure?</h3>
259 - <p>
260 - No. Updating XWiki is important, but security also depends on permissions,
261 - authentication, extensions, custom code, infrastructure configuration, backups
262 - and how the instance is maintained.
263 - </p>
277 + <details class="resource-faq-item">
278 + <summary>Is an updated XWiki instance automatically secure?</summary>
279 + <p>
280 + No. Updating XWiki is important, but security also depends on permissions,
281 + authentication, extensions, custom code, infrastructure configuration, backups
282 + and how the instance is maintained.
283 + </p>
284 + </details>
264 264  
265 - <h3>Does SSO solve XWiki access control?</h3>
266 - <p>
267 - No. SSO helps authenticate users, but access control still depends on XWiki groups,
268 - inherited permissions, page-level rights and administrative privileges.
269 - </p>
286 + <details class="resource-faq-item">
287 + <summary>Does SSO solve XWiki access control?</summary>
288 + <p>
289 + No. SSO helps authenticate users, but access control still depends on XWiki groups,
290 + inherited permissions, page-level rights and administrative privileges.
291 + </p>
292 + </details>
270 270  
271 - <h3>Why should custom code be reviewed?</h3>
272 - <p>
273 - Custom scripts, templates, macros, UI extensions and Java components can affect
274 - permissions, workflows, rendering, integrations and upgrade behavior. They should
275 - be identified, documented and tested.
276 - </p>
294 + <details class="resource-faq-item">
295 + <summary>Why should custom code be reviewed?</summary>
296 + <p>
297 + Custom scripts, templates, macros, UI extensions and Java components can affect
298 + permissions, workflows, rendering, integrations and upgrade behavior. They should
299 + be identified, documented and tested.
300 + </p>
301 + </details>
277 277  
278 - <h3>When should an XWiki security review be done?</h3>
279 - <p>
280 - A review is useful before a major upgrade, after years of organic growth, after
281 - authentication changes, before exposing the wiki more broadly, or when the instance
282 - becomes business-critical.
283 - </p>
284 -
285 - <div class="resource-note">
303 + <details class="resource-faq-item">
304 + <summary>When should an XWiki security review be done?</summary>
286 286   <p>
287 - Related resources:
288 - <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>,
289 - <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">why regular XWiki upgrades matter</a>
290 - and
291 - <a href="$xwiki.getURL('resources.xwiki-custom-development')">how to keep XWiki custom development maintainable across upgrades</a>.
306 + A review is useful before a major upgrade, after years of organic growth, after
307 + authentication changes, before exposing the wiki more broadly, or when the instance
308 + becomes business-critical.
292 292   </p>
310 + </details>
311 +
312 + <div class="resource-note related-resources">
313 + <p><strong>Related resources:</strong></p>
314 + <ul>
315 + <li>
316 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">Why XWiki access rights need a clear governance model</a>
317 + </li>
318 + <li>
319 + <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">How to start an XWiki access-rights review</a>
320 + </li>
321 + <li>
322 + <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">Why regular XWiki upgrades matter</a>
323 + </li>
324 + <li>
325 + <a href="$xwiki.getURL('resources.xwiki-custom-development')">How to keep XWiki custom development maintainable across upgrades</a>
326 + </li>
327 + </ul>
293 293   </div>
294 294  
295 295   <div class="resource-cta">