Skip to Content

Wiki source code of xwiki-security-review

Last modified by Alex Cotiugă on 2026/05/12 13:08
Show last authors
1 {{velocity}}
2 #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 {{html clean="false"}}
4
5 ## PAGE HEADER
6 <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
7 <div class="container hero-inner">
8 <div class="hero-kicker">
9 <i class="fa fa-shield" aria-hidden="true"></i>
10 XWiki security review
11 </div>
12
13 <h1 id="hero-title">Security-aware review for XWiki production environments</h1>
14
15 <p class="lead">
16 Understand the security posture of your XWiki instance by reviewing versions, extensions, rights,
17 authentication, configuration and upgrade exposure.
18 </p>
19
20 <p class="hero-support">
21 We help organizations identify practical security risks in their XWiki platform and define a clear path
22 toward safer operation, maintenance and upgrades.
23 </p>
24
25 <div class="hero-actions">
26 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
27 <a class="btn btn-secondary" href="#security-review-process">See the review approach</a>
28 </div>
29 </div>
30 </section>
31
32 ## WHY SECURITY REVIEW MATTERS
33 <section aria-labelledby="why-security-title">
34 <div class="container">
35 <h2 id="why-security-title">Why review the security of an XWiki instance?</h2>
36
37 <p class="section-intro">
38 XWiki often contains internal documentation, procedures, customer information, project knowledge,
39 workflows and restricted business data. Security depends not only on the XWiki version, but also on
40 extensions, authentication, user rights, scripting, configuration and operational practices.
41 </p>
42
43 <div class="pathways">
44 <article class="pathway-card">
45 <div class="pathway-icon">
46 <i class="fa fa-refresh" aria-hidden="true"></i>
47 </div>
48 <h3>Understand upgrade exposure</h3>
49 <p>
50 Older XWiki versions can miss important fixes, including security-related fixes that should be reviewed
51 against your current platform state.
52 </p>
53 <ul>
54 <li>Current version review</li>
55 <li>Upgrade gap assessment</li>
56 <li>LTS upgrade recommendations</li>
57 </ul>
58 </article>
59
60 <article class="pathway-card">
61 <div class="pathway-icon">
62 <i class="fa fa-key" aria-hidden="true"></i>
63 </div>
64 <h3>Review powerful rights</h3>
65 <p>
66 Rights such as admin, programming, script and edit rights can affect the security of the whole platform
67 when granted too broadly.
68 </p>
69 <ul>
70 <li>Admin and programming rights</li>
71 <li>Script and edit rights</li>
72 <li>Space and page permission inheritance</li>
73 </ul>
74 </article>
75
76 <article class="pathway-card">
77 <div class="pathway-icon">
78 <i class="fa fa-lock" aria-hidden="true"></i>
79 </div>
80 <h3>Check access boundaries</h3>
81 <p>
82 Authentication, group synchronization and permissions should match the real access boundaries expected
83 by the organization.
84 </p>
85 <ul>
86 <li>Authentication configuration</li>
87 <li>Group and user model</li>
88 <li>Restricted content visibility</li>
89 </ul>
90 </article>
91 </div>
92 </div>
93 </section>
94
95 ## COMMON REVIEW AREAS
96 <section class="services" aria-labelledby="review-areas-title">
97 <div class="container">
98 <h2 id="review-areas-title">Common security review areas</h2>
99
100 <p class="section-intro">
101 The review focuses on practical XWiki security risks that can affect real production environments,
102 especially older instances, customized platforms and installations with complex access control.
103 </p>
104
105 <div class="services-grid">
106 <article class="service">
107 <div class="service-icon" aria-hidden="true">
108 <i class="fa fa-code-fork"></i>
109 </div>
110 <div class="service-body">
111 <h4>XWiki version and upgrade status</h4>
112 <p>
113 Review of the current version, distance from supported releases, upgrade history and recommended update path.
114 </p>
115 </div>
116 </article>
117
118 <article class="service">
119 <div class="service-icon" aria-hidden="true">
120 <i class="fa fa-puzzle-piece"></i>
121 </div>
122 <div class="service-body">
123 <h4>Installed extensions</h4>
124 <p>
125 Review of installed extensions, compatibility concerns, outdated components and potentially sensitive features.
126 </p>
127 </div>
128 </article>
129
130 <article class="service">
131 <div class="service-icon" aria-hidden="true">
132 <i class="fa fa-user-secret"></i>
133 </div>
134 <div class="service-body">
135 <h4>Powerful user rights</h4>
136 <p>
137 Review of admin, programming, script, edit and application-related rights that may increase platform risk.
138 </p>
139 </div>
140 </article>
141
142 <article class="service">
143 <div class="service-icon" aria-hidden="true">
144 <i class="fa fa-sign-in"></i>
145 </div>
146 <div class="service-body">
147 <h4>Authentication configuration</h4>
148 <p>
149 Review of login method, LDAP/AD, SSO, OIDC, SAML, MFA, user creation and group synchronization behavior.
150 </p>
151 </div>
152 </article>
153
154 <article class="service">
155 <div class="service-icon" aria-hidden="true">
156 <i class="fa fa-lock"></i>
157 </div>
158 <div class="service-body">
159 <h4>Permissions and visibility</h4>
160 <p>
161 Review of access rights, inheritance, restricted spaces, public pages, hidden assumptions and permission complexity.
162 </p>
163 </div>
164 </article>
165
166 <article class="service">
167 <div class="service-icon" aria-hidden="true">
168 <i class="fa fa-server"></i>
169 </div>
170 <div class="service-body">
171 <h4>Configuration and deployment</h4>
172 <p>
173 Review of configuration choices, deployment assumptions, reverse proxy setup, attachments, logs and operational risks.
174 </p>
175 </div>
176 </article>
177 </div>
178 </div>
179 </section>
180
181 ## REVIEW APPROACH
182 <section id="security-review-process" class="split-section" aria-labelledby="process-title">
183 <div class="container">
184 <div class="split-grid">
185 <div class="split-copy">
186 <h2 id="process-title">A practical security review approach</h2>
187
188 <p>
189 The objective is to identify security-relevant risks that are specific to your XWiki setup, not to produce
190 a generic checklist. A useful review should consider the version, configuration, customizations, extensions,
191 users, groups and operational context together.
192 </p>
193
194 <p>
195 The review is handled carefully and responsibly. The goal is to provide actionable findings and safer
196 next steps without exposing sensitive vulnerability details unnecessarily or disrupting the production instance.
197 </p>
198 </div>
199
200 <ol class="process-list">
201 <li>
202 <strong>Review the current platform state</strong>
203 XWiki version, extensions, configuration, authentication, deployment model and known customizations.
204 </li>
205 <li>
206 <strong>Assess access and rights</strong>
207 User groups, powerful rights, permission inheritance, public visibility and restricted content areas.
208 </li>
209 <li>
210 <strong>Identify security-relevant risks</strong>
211 Version exposure, configuration issues, risky rights, outdated components or operational weaknesses.
212 </li>
213 <li>
214 <strong>Prioritize recommended actions</strong>
215 Classify findings by practical impact and define realistic remediation steps.
216 </li>
217 <li>
218 <strong>Plan follow-up improvements</strong>
219 Upgrade path, rights cleanup, authentication changes, extension updates or maintenance recommendations.
220 </li>
221 </ol>
222 </div>
223 </div>
224 </section>
225
226 ## WHAT CAN BE INCLUDED
227 <section aria-labelledby="included-title">
228 <div class="container">
229 <h2 id="included-title">What can be included</h2>
230
231 <p class="section-intro">
232 The scope can be adjusted depending on the sensitivity of the instance, the age of the platform,
233 the number of users and the complexity of the configuration.
234 </p>
235
236 <div class="widgets">
237 <article class="widget">
238 <div class="icon" aria-hidden="true">
239 <i class="fa fa-refresh"></i>
240 <h4>Version<br />review</h4>
241 </div>
242 <p>
243 Review of the current XWiki version, upgrade gap, supported version options and recommended upgrade path.
244 </p>
245 </article>
246
247 <article class="widget">
248 <div class="icon" aria-hidden="true">
249 <i class="fa fa-key"></i>
250 <h4>Rights<br />review</h4>
251 </div>
252 <p>
253 Review of admin, programming, script, edit and view rights across important spaces and user groups.
254 </p>
255 </article>
256
257 <article class="widget">
258 <div class="icon" aria-hidden="true">
259 <i class="fa fa-sign-in"></i>
260 <h4>Authentication<br />review</h4>
261 </div>
262 <p>
263 Review of LDAP, Active Directory, SSO, OIDC, SAML, MFA and user synchronization configuration.
264 </p>
265 </article>
266
267 <article class="widget">
268 <div class="icon" aria-hidden="true">
269 <i class="fa fa-file-text-o"></i>
270 <h4>Findings<br />report</h4>
271 </div>
272 <p>
273 Practical summary of findings, risks, recommended actions and follow-up priorities.
274 </p>
275 </article>
276 </div>
277 </div>
278 </section>
279
280 ## IMPORTANT CONSIDERATIONS
281 <section class="services" aria-labelledby="considerations-title">
282 <div class="container">
283 <h2 id="considerations-title">Important considerations</h2>
284
285 <p class="section-intro">
286 A security review should be practical, careful and aligned with the way the XWiki instance is actually used.
287 The purpose is to reduce risk, not to create unnecessary disruption or expose sensitive information.
288 </p>
289
290 <div class="services-grid">
291 <article class="service">
292 <div class="service-icon" aria-hidden="true">
293 <i class="fa fa-eye-slash"></i>
294 </div>
295 <div class="service-body">
296 <h4>Responsible vulnerability handling</h4>
297 <p>
298 Findings are communicated in a way that helps remediation without unnecessarily exposing exploit details.
299 </p>
300 </div>
301 </article>
302
303 <article class="service">
304 <div class="service-icon" aria-hidden="true">
305 <i class="fa fa-balance-scale"></i>
306 </div>
307 <div class="service-body">
308 <h4>Risk-based prioritization</h4>
309 <p>
310 Not all issues have the same impact. Recommendations are prioritized by practical exposure and business context.
311 </p>
312 </div>
313 </article>
314
315 <article class="service">
316 <div class="service-icon" aria-hidden="true">
317 <i class="fa fa-users"></i>
318 </div>
319 <div class="service-body">
320 <h4>User and group complexity</h4>
321 <p>
322 Directory synchronization, group mappings and rights inheritance can create hidden access-control risks.
323 </p>
324 </div>
325 </article>
326
327 <article class="service">
328 <div class="service-icon" aria-hidden="true">
329 <i class="fa fa-code"></i>
330 </div>
331 <div class="service-body">
332 <h4>Custom code and scripting</h4>
333 <p>
334 Custom applications, Velocity scripts, macros and extensions may require review when they affect security-sensitive behavior.
335 </p>
336 </div>
337 </article>
338
339 <article class="service">
340 <div class="service-icon" aria-hidden="true">
341 <i class="fa fa-refresh"></i>
342 </div>
343 <div class="service-body">
344 <h4>Upgrade as remediation</h4>
345 <p>
346 In many cases, the most effective security improvement is a controlled upgrade to a supported XWiki version.
347 </p>
348 </div>
349 </article>
350
351 <article class="service">
352 <div class="service-icon" aria-hidden="true">
353 <i class="fa fa-check-square-o"></i>
354 </div>
355 <div class="service-body">
356 <h4>Actionable next steps</h4>
357 <p>
358 The review should lead to clear remediation actions, not only a list of theoretical concerns.
359 </p>
360 </div>
361 </article>
362 </div>
363 </div>
364 </section>
365
366 ## RELATED SERVICES
367 <section class="resource-strip" aria-labelledby="related-title">
368 <div class="container">
369 <h2 id="related-title">Related XWiki services</h2>
370
371 <p class="section-intro">
372 Security review often connects naturally with upgrades, maintenance and access-control improvements.
373 </p>
374
375 <div class="resource-grid">
376 <article class="resource-card">
377 <h4>XWiki Upgrade Services</h4>
378 <p>
379 Safe LTS upgrades with staging validation, compatibility checks, rollback planning and post-upgrade verification.
380 </p>
381 <a href="$xwiki.getURL('services.xwiki-upgrades')">View upgrade services</a>
382 </article>
383
384 <article class="resource-card">
385 <h4>Authentication &amp; Access Control</h4>
386 <p>
387 LDAP, Active Directory, SSO, OIDC, SAML, MFA, group synchronization and permissions support.
388 </p>
389 <a href="$xwiki.getURL('services.xwiki-authentication-access-control')">View access control services</a>
390 </article>
391 </div>
392 </div>
393 </section>
394
395 ## CTA
396 <section class="cta-section" aria-labelledby="cta-title">
397 <div class="container">
398 <div class="cta-panel">
399 <h2 id="cta-title">Need a security review for your XWiki instance?</h2>
400
401 <p>
402 Send your current XWiki version, hosting model, authentication setup, approximate user/group structure
403 and any specific security concerns you want to address. A short description is enough to start the review.
404 </p>
405
406 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
407 </div>
408 </div>
409 </section>
410
411 {{/html}}
412 {{/velocity}}