Changes for page What an XWiki Security Review Should Actually Include

Last modified by Agnease on 2026/06/08 18:44

Manage
- Copy
Actions
- Export
- Print Preview
Viewers
- Source
- Siblings
- Content
- Comments
- Attachments (1)
- History
- Information
- Likes

From 3.6 to 3.7 From 3.9 to 3.10

From version 3.7

edited by Agnease
on 2026/06/08 18:19

Change comment: There is no comment for this version

To version 3.9

edited by Agnease
on 2026/06/08 18:27

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

@@ -45,6 +45,11 @@
            </p>
            <p>
++            An XWiki security review is a practical audit of the platform configuration, access model,
++            authentication setup, installed extensions, custom code, infrastructure and recovery procedures.
++          </p>
++
++          <p>
              Security risks are often hidden in less visible areas: outdated versions, inherited permissions,
              forgotten administrator accounts, overly powerful rights, old extensions, undocumented scripts,
              weak fallback access or backup assumptions that were never tested.
@@ -122,7 +122,7 @@
              of small exceptions that nobody reviewed later.
            </p>
--         <p>
++          <p>
              For a deeper look at this topic, see
              <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>.
              For a practical starting point, see
@@ -176,7 +176,7 @@
                A structured review can check versions, access rights, authentication,
                extensions, custom code, infrastructure, backups and operational practices.
              </p>
--            <a class="btn btn-secondary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
++            <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
            </div>
            <h2 id="security-checklist">XWiki security review checklist</h2>
@@ -239,53 +239,70 @@
              permissions, extensions, customizations and recovery procedures were configured years earlier.
            </p>
--          <div class="resource-note">
++          <div class="resource-note related-resources">
++            <p><strong>Security review series:</strong></p>
++            <ul>
++              <li>
++                <a href="$xwiki.getURL('resources.xwiki-security-review')">What an XWiki security review should actually include</a>
++              </li>
++              <li>
++                <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">Why XWiki access rights need a clear governance model</a>
++              </li>
++              <li>
++                <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">How to start an XWiki access-rights review</a>
++              </li>
++            </ul>
              <p>
--              <strong>Security review series:</strong>
--              this article is the main overview. You can also read
--              <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>
--              and
--              <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">how to start an XWiki access-rights review</a>.
--              Future topics will cover authentication and access control, script and programming rights, backup validation,
--              extension review and operational practices.
++              Future topics will cover authentication and access control, script and programming rights,
++              backup validation, extension review and operational practices.
              </p>
            </div>
            <h2 id="security-review-faq">XWiki security review FAQ</h2>
--          <h3>What should an XWiki security review include?</h3>
--          <p>
--            An XWiki security review should include the installed XWiki version, upgrade path,
--            access rights, groups, authentication setup, installed extensions, custom code,
--            infrastructure, backups, restore expectations and operational procedures.
--          </p>
++          <details class="resource-faq-item" open>
++            <summary>What should an XWiki security review include?</summary>
++            <p>
++              An XWiki security review should include the installed XWiki version, upgrade path,
++              access rights, groups, authentication setup, installed extensions, custom code,
++              infrastructure, backups, restore expectations and operational procedures.
++            </p>
++          </details>
--          <h3>Is an updated XWiki instance automatically secure?</h3>
--          <p>
--            No. Updating XWiki is important, but security also depends on permissions,
--            authentication, extensions, custom code, infrastructure configuration, backups
--            and how the instance is maintained.
--          </p>
++          <details class="resource-faq-item">
++            <summary>Is an updated XWiki instance automatically secure?</summary>
++            <p>
++              No. Updating XWiki is important, but security also depends on permissions,
++              authentication, extensions, custom code, infrastructure configuration, backups
++              and how the instance is maintained.
++            </p>
++          </details>
--          <h3>Does SSO solve XWiki access control?</h3>
--          <p>
--            No. SSO helps authenticate users, but access control still depends on XWiki groups,
--            inherited permissions, page-level rights and administrative privileges.
--          </p>
++          <details class="resource-faq-item">
++            <summary>Does SSO solve XWiki access control?</summary>
++            <p>
++              No. SSO helps authenticate users, but access control still depends on XWiki groups,
++              inherited permissions, page-level rights and administrative privileges.
++            </p>
++          </details>
--          <h3>Why should custom code be reviewed?</h3>
--          <p>
--            Custom scripts, templates, macros, UI extensions and Java components can affect
--            permissions, workflows, rendering, integrations and upgrade behavior. They should
--            be identified, documented and tested.
--          </p>
++          <details class="resource-faq-item">
++            <summary>Why should custom code be reviewed?</summary>
++            <p>
++              Custom scripts, templates, macros, UI extensions and Java components can affect
++              permissions, workflows, rendering, integrations and upgrade behavior. They should
++              be identified, documented and tested.
++            </p>
++          </details>
--          <h3>When should an XWiki security review be done?</h3>
--          <p>
--            A review is useful before a major upgrade, after years of organic growth, after
--            authentication changes, before exposing the wiki more broadly, or when the instance
--            becomes business-critical.
--          </p>
++          <details class="resource-faq-item">
++            <summary>When should an XWiki security review be done?</summary>
++            <p>
++              A review is useful before a major upgrade, after years of organic growth, after
++              authentication changes, before exposing the wiki more broadly, or when the instance
++              becomes business-critical.
++            </p>
++          </details>
            <div class="resource-note related-resources">
              <p><strong>Related resources:</strong></p>