Skip to Content

Changes for page XWiki Security Review

Last modified by Agnease on 2026/05/25 16:04
From version 5.1
edited by Agnease
on 2026/05/22 06:13
Change comment: There is no comment for this version
To version 8.1
edited by Agnease
on 2026/05/25 16:04
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -xwiki-security-review
1 +XWiki Security Review
Content
... ... @@ -1,27 +1,18 @@
1 1  {{velocity}}
2 2  #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 3  {{html clean="false"}}
4 -
5 5   ## PAGE HEADER
6 - <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
5 + <section class="hero hero-centered" aria-labelledby="hero-title">
7 7   <div class="container hero-inner">
8 8   <div class="hero-kicker">
9 9   <i class="fa fa-shield" aria-hidden="true"></i>
10 10   XWiki security review
11 11   </div>
12 -
13 13   <h1 id="hero-title">Security-aware review for XWiki production environments</h1>
14 -
15 15   <p class="lead">
16 - Understand the security posture of your XWiki instance by reviewing versions, extensions, rights,
17 - authentication, configuration and upgrade exposure.
13 + Review XWiki versions, extensions, permissions, authentication, configuration and upgrade exposure
14 + to identify practical security risks and define safer next steps.
18 18   </p>
19 -
20 - <p class="hero-support">
21 - We help organizations identify practical security risks in their XWiki platform and define a clear path
22 - toward safer operation, maintenance and upgrades.
23 - </p>
24 -
25 25   <div class="hero-actions">
26 26   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
27 27   <a class="btn btn-secondary" href="#security-review-process">See the review approach</a>
... ... @@ -28,385 +28,281 @@
28 28   </div>
29 29   </div>
30 30   </section>
31 -
32 32   ## WHY SECURITY REVIEW MATTERS
23 + #set ($securityReasonItems = [{
24 + 'title': 'Understand upgrade exposure',
25 + 'icon': 'refresh',
26 + 'content': 'Older XWiki versions can miss important fixes, including security-related fixes that should be reviewed against your current platform state.',
27 + 'items': [
28 + 'Current version review',
29 + 'Upgrade gap assessment',
30 + 'LTS upgrade recommendations'
31 + ]
32 + },{
33 + 'title': 'Review powerful rights',
34 + 'icon': 'key',
35 + 'content': 'Rights such as admin, programming, script and edit rights can affect the security of the whole platform when granted too broadly.',
36 + 'items': [
37 + 'Admin and programming rights',
38 + 'Script and edit rights',
39 + 'Space and page permission inheritance'
40 + ]
41 + },{
42 + 'title': 'Check access boundaries',
43 + 'icon': 'lock',
44 + 'content': 'Authentication, group synchronization and permissions should match the real access boundaries expected by the organization.',
45 + 'items': [
46 + 'Authentication configuration',
47 + 'Group and user model',
48 + 'Restricted content visibility'
49 + ]
50 + }])
33 33   <section aria-labelledby="why-security-title">
34 34   <div class="container">
35 35   <h2 id="why-security-title">Why review the security of an XWiki instance?</h2>
36 -
37 37   <p class="section-intro">
38 38   XWiki often contains internal documentation, procedures, customer information, project knowledge,
39 39   workflows and restricted business data. Security depends not only on the XWiki version, but also on
40 40   extensions, authentication, user rights, scripting, configuration and operational practices.
41 41   </p>
42 -
43 43   <div class="pathways">
44 - <article class="pathway-card">
45 - <div class="pathway-icon">
46 - <i class="fa fa-refresh" aria-hidden="true"></i>
47 - </div>
48 - <h3>Understand upgrade exposure</h3>
49 - <p>
50 - Older XWiki versions can miss important fixes, including security-related fixes that should be reviewed
51 - against your current platform state.
52 - </p>
53 - <ul>
54 - <li>Current version review</li>
55 - <li>Upgrade gap assessment</li>
56 - <li>LTS upgrade recommendations</li>
57 - </ul>
58 - </article>
59 -
60 - <article class="pathway-card">
61 - <div class="pathway-icon">
62 - <i class="fa fa-key" aria-hidden="true"></i>
63 - </div>
64 - <h3>Review powerful rights</h3>
65 - <p>
66 - Rights such as admin, programming, script and edit rights can affect the security of the whole platform
67 - when granted too broadly.
68 - </p>
69 - <ul>
70 - <li>Admin and programming rights</li>
71 - <li>Script and edit rights</li>
72 - <li>Space and page permission inheritance</li>
73 - </ul>
74 - </article>
75 -
76 - <article class="pathway-card">
77 - <div class="pathway-icon">
78 - <i class="fa fa-lock" aria-hidden="true"></i>
79 - </div>
80 - <h3>Check access boundaries</h3>
81 - <p>
82 - Authentication, group synchronization and permissions should match the real access boundaries expected
83 - by the organization.
84 - </p>
85 - <ul>
86 - <li>Authentication configuration</li>
87 - <li>Group and user model</li>
88 - <li>Restricted content visibility</li>
89 - </ul>
90 - </article>
60 + #foreach ($entry in $securityReasonItems)
61 + <article class="pathway-card">
62 + <div class="card-heading">
63 + <div class="pathway-icon">
64 + <i class="fa fa-$entry.icon" aria-hidden="true"></i>
65 + </div>
66 + <h3>$entry.title</h3>
67 + </div>
68 + <p>$entry.content</p>
69 + <ul>
70 + #foreach ($item in $entry.items)
71 + <li>$item</li>
72 + #end
73 + </ul>
74 + </article>
75 + #end
91 91   </div>
92 92   </div>
93 93   </section>
94 -
95 95   ## COMMON REVIEW AREAS
80 + #set ($securityReviewAreaItems = [{
81 + 'title': 'XWiki version and upgrade status',
82 + 'icon': 'code-fork',
83 + 'content': 'Review of the current version, distance from supported releases, upgrade history and recommended update path.'
84 + },{
85 + 'title': 'Installed extensions',
86 + 'icon': 'puzzle-piece',
87 + 'content': 'Review of installed extensions, compatibility concerns, outdated components and potentially sensitive features.'
88 + },{
89 + 'title': 'Powerful user rights',
90 + 'icon': 'user-secret',
91 + 'content': 'Review of admin, programming, script, edit and application-related rights that may increase platform risk.'
92 + },{
93 + 'title': 'Authentication configuration',
94 + 'icon': 'sign-in',
95 + 'content': 'Review of login method, LDAP/AD, SSO, OIDC, SAML, MFA, user creation and group synchronization behavior.'
96 + },{
97 + 'title': 'Permissions and visibility',
98 + 'icon': 'lock',
99 + 'content': 'Review of access rights, inheritance, restricted spaces, public pages, hidden assumptions and permission complexity.'
100 + },{
101 + 'title': 'Configuration and deployment',
102 + 'icon': 'server',
103 + 'content': 'Review of configuration choices, deployment assumptions, reverse proxy setup, attachments, logs and operational risks.'
104 + }])
96 96   <section class="services" aria-labelledby="review-areas-title">
97 97   <div class="container">
98 98   <h2 id="review-areas-title">Common security review areas</h2>
99 -
100 100   <p class="section-intro">
101 101   The review focuses on practical XWiki security risks that can affect real production environments,
102 102   especially older instances, customized platforms and installations with complex access control.
103 103   </p>
104 -
105 105   <div class="services-grid">
106 - <article class="service">
107 - <div class="service-icon" aria-hidden="true">
108 - <i class="fa fa-code-fork"></i>
109 - </div>
110 - <div class="service-body">
111 - <h4>XWiki version and upgrade status</h4>
112 - <p>
113 - Review of the current version, distance from supported releases, upgrade history and recommended update path.
114 - </p>
115 - </div>
116 - </article>
117 -
118 - <article class="service">
119 - <div class="service-icon" aria-hidden="true">
120 - <i class="fa fa-puzzle-piece"></i>
121 - </div>
122 - <div class="service-body">
123 - <h4>Installed extensions</h4>
124 - <p>
125 - Review of installed extensions, compatibility concerns, outdated components and potentially sensitive features.
126 - </p>
127 - </div>
128 - </article>
129 -
130 - <article class="service">
131 - <div class="service-icon" aria-hidden="true">
132 - <i class="fa fa-user-secret"></i>
133 - </div>
134 - <div class="service-body">
135 - <h4>Powerful user rights</h4>
136 - <p>
137 - Review of admin, programming, script, edit and application-related rights that may increase platform risk.
138 - </p>
139 - </div>
140 - </article>
141 -
142 - <article class="service">
143 - <div class="service-icon" aria-hidden="true">
144 - <i class="fa fa-sign-in"></i>
145 - </div>
146 - <div class="service-body">
147 - <h4>Authentication configuration</h4>
148 - <p>
149 - Review of login method, LDAP/AD, SSO, OIDC, SAML, MFA, user creation and group synchronization behavior.
150 - </p>
151 - </div>
152 - </article>
153 -
154 - <article class="service">
155 - <div class="service-icon" aria-hidden="true">
156 - <i class="fa fa-lock"></i>
157 - </div>
158 - <div class="service-body">
159 - <h4>Permissions and visibility</h4>
160 - <p>
161 - Review of access rights, inheritance, restricted spaces, public pages, hidden assumptions and permission complexity.
162 - </p>
163 - </div>
164 - </article>
165 -
166 - <article class="service">
167 - <div class="service-icon" aria-hidden="true">
168 - <i class="fa fa-server"></i>
169 - </div>
170 - <div class="service-body">
171 - <h4>Configuration and deployment</h4>
172 - <p>
173 - Review of configuration choices, deployment assumptions, reverse proxy setup, attachments, logs and operational risks.
174 - </p>
175 - </div>
176 - </article>
113 + #foreach ($entry in $securityReviewAreaItems)
114 + <article class="service">
115 + <div class="service-icon" aria-hidden="true">
116 + <i class="fa fa-$entry.icon"></i>
117 + </div>
118 + <div class="service-body">
119 + <h4>$entry.title</h4>
120 + <p>$entry.content</p>
121 + </div>
122 + </article>
123 + #end
177 177   </div>
178 178   </div>
179 179   </section>
180 -
181 181   ## REVIEW APPROACH
128 + #set ($securityReviewProcessItems = [{
129 + 'title': 'Review the current platform state',
130 + 'content': 'XWiki version, extensions, configuration, authentication, deployment model and known customizations.'
131 + },{
132 + 'title': 'Assess access and rights',
133 + 'content': 'User groups, powerful rights, permission inheritance, public visibility and restricted content areas.'
134 + },{
135 + 'title': 'Identify security-relevant risks',
136 + 'content': 'Version exposure, configuration issues, risky rights, outdated components or operational weaknesses.'
137 + },{
138 + 'title': 'Prioritize recommended actions',
139 + 'content': 'Classify findings by practical impact and define realistic remediation steps.'
140 + },{
141 + 'title': 'Plan follow-up improvements',
142 + 'content': 'Upgrade path, rights cleanup, authentication changes, extension updates or maintenance recommendations.'
143 + }])
182 182   <section id="security-review-process" class="split-section" aria-labelledby="process-title">
183 183   <div class="container">
184 184   <div class="split-grid">
185 185   <div class="split-copy">
186 186   <h2 id="process-title">A practical security review approach</h2>
187 -
188 188   <p>
189 189   The objective is to identify security-relevant risks that are specific to your XWiki setup, not to produce
190 190   a generic checklist. A useful review should consider the version, configuration, customizations, extensions,
191 191   users, groups and operational context together.
192 192   </p>
193 -
194 194   <p>
195 195   The review is handled carefully and responsibly. The goal is to provide actionable findings and safer
196 196   next steps without exposing sensitive vulnerability details unnecessarily or disrupting the production instance.
197 197   </p>
198 198   </div>
199 -
200 200   <ol class="process-list">
201 - <li>
202 - <strong>Review the current platform state</strong>
203 - XWiki version, extensions, configuration, authentication, deployment model and known customizations.
204 - </li>
205 - <li>
206 - <strong>Assess access and rights</strong>
207 - User groups, powerful rights, permission inheritance, public visibility and restricted content areas.
208 - </li>
209 - <li>
210 - <strong>Identify security-relevant risks</strong>
211 - Version exposure, configuration issues, risky rights, outdated components or operational weaknesses.
212 - </li>
213 - <li>
214 - <strong>Prioritize recommended actions</strong>
215 - Classify findings by practical impact and define realistic remediation steps.
216 - </li>
217 - <li>
218 - <strong>Plan follow-up improvements</strong>
219 - Upgrade path, rights cleanup, authentication changes, extension updates or maintenance recommendations.
220 - </li>
160 + #foreach ($entry in $securityReviewProcessItems)
161 + <li>
162 + <strong>$entry.title</strong>
163 + $entry.content
164 + </li>
165 + #end
221 221   </ol>
222 222   </div>
223 223   </div>
224 224   </section>
225 -
226 226   ## WHAT CAN BE INCLUDED
171 + #set ($securityIncludedItems = [{
172 + 'title': 'Version review',
173 + 'icon': 'refresh',
174 + 'content': 'Review of the current XWiki version, upgrade gap, supported version options and recommended upgrade path.'
175 + },{
176 + 'title': 'Rights review',
177 + 'icon': 'key',
178 + 'content': 'Review of admin, programming, script, edit and view rights across important spaces and user groups.'
179 + },{
180 + 'title': 'Authentication review',
181 + 'icon': 'sign-in',
182 + 'content': 'Review of LDAP, Active Directory, SSO, OIDC, SAML, MFA and user synchronization configuration.'
183 + },{
184 + 'title': 'Findings report',
185 + 'icon': 'file-text-o',
186 + 'content': 'Practical summary of findings, risks, recommended actions and follow-up priorities.'
187 + }])
227 227   <section aria-labelledby="included-title">
228 228   <div class="container">
229 229   <h2 id="included-title">What can be included</h2>
230 -
231 231   <p class="section-intro">
232 232   The scope can be adjusted depending on the sensitivity of the instance, the age of the platform,
233 233   the number of users and the complexity of the configuration.
234 234   </p>
235 -
236 236   <div class="widgets">
237 - <article class="widget">
238 - <div class="icon" aria-hidden="true">
239 - <i class="fa fa-refresh"></i>
240 - <h4>Version<br />review</h4>
241 - </div>
242 - <p>
243 - Review of the current XWiki version, upgrade gap, supported version options and recommended upgrade path.
244 - </p>
245 - </article>
246 -
247 - <article class="widget">
248 - <div class="icon" aria-hidden="true">
249 - <i class="fa fa-key"></i>
250 - <h4>Rights<br />review</h4>
251 - </div>
252 - <p>
253 - Review of admin, programming, script, edit and view rights across important spaces and user groups.
254 - </p>
255 - </article>
256 -
257 - <article class="widget">
258 - <div class="icon" aria-hidden="true">
259 - <i class="fa fa-sign-in"></i>
260 - <h4>Authentication<br />review</h4>
261 - </div>
262 - <p>
263 - Review of LDAP, Active Directory, SSO, OIDC, SAML, MFA and user synchronization configuration.
264 - </p>
265 - </article>
266 -
267 - <article class="widget">
268 - <div class="icon" aria-hidden="true">
269 - <i class="fa fa-file-text-o"></i>
270 - <h4>Findings<br />report</h4>
271 - </div>
272 - <p>
273 - Practical summary of findings, risks, recommended actions and follow-up priorities.
274 - </p>
275 - </article>
196 + #foreach ($entry in $securityIncludedItems)
197 + <article class="widget">
198 + <div class="icon" aria-hidden="true">
199 + <i class="fa fa-$entry.icon"></i>
200 + <h4>$entry.title</h4>
201 + </div>
202 + <p>$entry.content</p>
203 + </article>
204 + #end
276 276   </div>
277 277   </div>
278 278   </section>
279 -
280 280   ## IMPORTANT CONSIDERATIONS
209 + #set ($securityConsiderationItems = [{
210 + 'title': 'Responsible vulnerability handling',
211 + 'icon': 'eye-slash',
212 + 'content': 'Findings are communicated in a way that helps remediation without unnecessarily exposing exploit details.'
213 + },{
214 + 'title': 'Risk-based prioritization',
215 + 'icon': 'balance-scale',
216 + 'content': 'Not all issues have the same impact. Recommendations are prioritized by practical exposure and business context.'
217 + },{
218 + 'title': 'User and group complexity',
219 + 'icon': 'users',
220 + 'content': 'Directory synchronization, group mappings and rights inheritance can create hidden access-control risks.'
221 + },{
222 + 'title': 'Custom code and scripting',
223 + 'icon': 'code',
224 + 'content': 'Custom applications, Velocity scripts, macros and extensions may require review when they affect security-sensitive behavior.'
225 + },{
226 + 'title': 'Upgrade as remediation',
227 + 'icon': 'refresh',
228 + 'content': 'In many cases, the most effective security improvement is a controlled upgrade to a supported XWiki version.'
229 + },{
230 + 'title': 'Actionable next steps',
231 + 'icon': 'check-square-o',
232 + 'content': 'The review should lead to clear remediation actions, not only a list of theoretical concerns.'
233 + }])
281 281   <section class="services" aria-labelledby="considerations-title">
282 282   <div class="container">
283 283   <h2 id="considerations-title">Important considerations</h2>
284 -
285 285   <p class="section-intro">
286 286   A security review should be practical, careful and aligned with the way the XWiki instance is actually used.
287 287   The purpose is to reduce risk, not to create unnecessary disruption or expose sensitive information.
288 288   </p>
289 -
290 290   <div class="services-grid">
291 - <article class="service">
292 - <div class="service-icon" aria-hidden="true">
293 - <i class="fa fa-eye-slash"></i>
294 - </div>
295 - <div class="service-body">
296 - <h4>Responsible vulnerability handling</h4>
297 - <p>
298 - Findings are communicated in a way that helps remediation without unnecessarily exposing exploit details.
299 - </p>
300 - </div>
301 - </article>
302 -
303 - <article class="service">
304 - <div class="service-icon" aria-hidden="true">
305 - <i class="fa fa-balance-scale"></i>
306 - </div>
307 - <div class="service-body">
308 - <h4>Risk-based prioritization</h4>
309 - <p>
310 - Not all issues have the same impact. Recommendations are prioritized by practical exposure and business context.
311 - </p>
312 - </div>
313 - </article>
314 -
315 - <article class="service">
316 - <div class="service-icon" aria-hidden="true">
317 - <i class="fa fa-users"></i>
318 - </div>
319 - <div class="service-body">
320 - <h4>User and group complexity</h4>
321 - <p>
322 - Directory synchronization, group mappings and rights inheritance can create hidden access-control risks.
323 - </p>
324 - </div>
325 - </article>
326 -
327 - <article class="service">
328 - <div class="service-icon" aria-hidden="true">
329 - <i class="fa fa-code"></i>
330 - </div>
331 - <div class="service-body">
332 - <h4>Custom code and scripting</h4>
333 - <p>
334 - Custom applications, Velocity scripts, macros and extensions may require review when they affect security-sensitive behavior.
335 - </p>
336 - </div>
337 - </article>
338 -
339 - <article class="service">
340 - <div class="service-icon" aria-hidden="true">
341 - <i class="fa fa-refresh"></i>
342 - </div>
343 - <div class="service-body">
344 - <h4>Upgrade as remediation</h4>
345 - <p>
346 - In many cases, the most effective security improvement is a controlled upgrade to a supported XWiki version.
347 - </p>
348 - </div>
349 - </article>
350 -
351 - <article class="service">
352 - <div class="service-icon" aria-hidden="true">
353 - <i class="fa fa-check-square-o"></i>
354 - </div>
355 - <div class="service-body">
356 - <h4>Actionable next steps</h4>
357 - <p>
358 - The review should lead to clear remediation actions, not only a list of theoretical concerns.
359 - </p>
360 - </div>
361 - </article>
242 + #foreach ($entry in $securityConsiderationItems)
243 + <article class="service">
244 + <div class="service-icon" aria-hidden="true">
245 + <i class="fa fa-$entry.icon"></i>
246 + </div>
247 + <div class="service-body">
248 + <h4>$entry.title</h4>
249 + <p>$entry.content</p>
250 + </div>
251 + </article>
252 + #end
362 362   </div>
363 363   </div>
364 364   </section>
365 -
366 366   ## RELATED SERVICES
257 + #set ($relatedSecurityServiceItems = [{
258 + 'title': 'XWiki Upgrade Services',
259 + 'url': 'services.xwiki-upgrades',
260 + 'content': 'Safe LTS upgrades with staging validation, compatibility checks, rollback planning and post-upgrade verification.',
261 + 'linkLabel': 'View upgrade services'
262 + },{
263 + 'title': 'Authentication & Access Control',
264 + 'url': 'services.xwiki-authentication-access-control',
265 + 'content': 'LDAP, Active Directory, SSO, OIDC, SAML, MFA, group synchronization and permissions support.',
266 + 'linkLabel': 'View access control services'
267 + }])
367 367   <section class="resource-strip" aria-labelledby="related-title">
368 368   <div class="container">
369 369   <h2 id="related-title">Related XWiki services</h2>
370 -
371 371   <p class="section-intro">
372 372   Security review often connects naturally with upgrades, maintenance and access-control improvements.
373 373   </p>
374 -
375 375   <div class="resource-grid">
376 - <article class="resource-card">
377 - <h4>XWiki Upgrade Services</h4>
378 - <p>
379 - Safe LTS upgrades with staging validation, compatibility checks, rollback planning and post-upgrade verification.
380 - </p>
381 - <a href="$xwiki.getURL('services.xwiki-upgrades')">View upgrade services</a>
382 - </article>
383 -
384 - <article class="resource-card">
385 - <h4>Authentication &amp; Access Control</h4>
386 - <p>
387 - LDAP, Active Directory, SSO, OIDC, SAML, MFA, group synchronization and permissions support.
388 - </p>
389 - <a href="$xwiki.getURL('services.xwiki-authentication-access-control')">View access control services</a>
390 - </article>
275 + #foreach ($entry in $relatedSecurityServiceItems)
276 + <article class="resource-card">
277 + <h4>$entry.title</h4>
278 + <p>$entry.content</p>
279 + <a href="$xwiki.getURL($entry.url)">$entry.linkLabel</a>
280 + </article>
281 + #end
391 391   </div>
392 392   </div>
393 393   </section>
394 -
395 395   ## CTA
396 396   <section class="cta-section" aria-labelledby="cta-title">
397 397   <div class="container">
398 398   <div class="cta-panel">
399 399   <h2 id="cta-title">Need a security review for your XWiki instance?</h2>
400 -
401 401   <p>
402 402   Send your current XWiki version, hosting model, authentication setup, approximate user/group structure
403 403   and any specific security concerns you want to address. A short description is enough to start the review.
404 404   </p>
405 -
406 406   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
407 407   </div>
408 408   </div>
409 409   </section>
410 -
411 411  {{/html}}
412 412  {{/velocity}}
Agnease.Code.SEODetailsClass[0]
metaTitle
... ... @@ -1,1 +1,1 @@
1 -XWiki Security Review | Version, Rights and Configuration Checks
1 +XWiki Security Review for Versions, Rights and Configuration | Agnease