Skip to Content

Wiki source code of XWiki Security Review

Last modified by Agnease on 2026/05/25 16:04
Hide last authors
Agnease 1.2 1 {{velocity}}
2 #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 {{html clean="false"}}
4 ## PAGE HEADER
Agnease 7.4 5 <section class="hero hero-centered" aria-labelledby="hero-title">
Agnease 1.2 6 <div class="container hero-inner">
7 <div class="hero-kicker">
8 <i class="fa fa-shield" aria-hidden="true"></i>
9 XWiki security review
10 </div>
11 <h1 id="hero-title">Security-aware review for XWiki production environments</h1>
12 <p class="lead">
Agnease 7.2 13 Review XWiki versions, extensions, permissions, authentication, configuration and upgrade exposure
14 to identify practical security risks and define safer next steps.
Agnease 1.2 15 </p>
16 <div class="hero-actions">
17 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
18 <a class="btn btn-secondary" href="#security-review-process">See the review approach</a>
19 </div>
20 </div>
21 </section>
22 ## WHY SECURITY REVIEW MATTERS
Agnease 7.4 23 #set ($securityReasonItems = [{
24 'title': 'Understand upgrade exposure',
25 'icon': 'refresh',
26 'content': 'Older XWiki versions can miss important fixes, including security-related fixes that should be reviewed against your current platform state.',
27 'items': [
28 'Current version review',
29 'Upgrade gap assessment',
30 'LTS upgrade recommendations'
31 ]
32 },{
33 'title': 'Review powerful rights',
34 'icon': 'key',
35 'content': 'Rights such as admin, programming, script and edit rights can affect the security of the whole platform when granted too broadly.',
36 'items': [
37 'Admin and programming rights',
38 'Script and edit rights',
39 'Space and page permission inheritance'
40 ]
41 },{
42 'title': 'Check access boundaries',
43 'icon': 'lock',
44 'content': 'Authentication, group synchronization and permissions should match the real access boundaries expected by the organization.',
45 'items': [
46 'Authentication configuration',
47 'Group and user model',
48 'Restricted content visibility'
49 ]
50 }])
Agnease 1.2 51 <section aria-labelledby="why-security-title">
52 <div class="container">
53 <h2 id="why-security-title">Why review the security of an XWiki instance?</h2>
54 <p class="section-intro">
55 XWiki often contains internal documentation, procedures, customer information, project knowledge,
56 workflows and restricted business data. Security depends not only on the XWiki version, but also on
57 extensions, authentication, user rights, scripting, configuration and operational practices.
58 </p>
59 <div class="pathways">
Agnease 7.4 60 #foreach ($entry in $securityReasonItems)
61 <article class="pathway-card">
62 <div class="card-heading">
63 <div class="pathway-icon">
64 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
65 </div>
66 <h3>$entry.title</h3>
67 </div>
68 <p>$entry.content</p>
69 <ul>
70 #foreach ($item in $entry.items)
71 <li>$item</li>
72 #end
73 </ul>
74 </article>
75 #end
Agnease 1.2 76 </div>
77 </div>
78 </section>
79 ## COMMON REVIEW AREAS
Agnease 7.4 80 #set ($securityReviewAreaItems = [{
81 'title': 'XWiki version and upgrade status',
82 'icon': 'code-fork',
83 'content': 'Review of the current version, distance from supported releases, upgrade history and recommended update path.'
84 },{
85 'title': 'Installed extensions',
86 'icon': 'puzzle-piece',
87 'content': 'Review of installed extensions, compatibility concerns, outdated components and potentially sensitive features.'
88 },{
89 'title': 'Powerful user rights',
90 'icon': 'user-secret',
91 'content': 'Review of admin, programming, script, edit and application-related rights that may increase platform risk.'
92 },{
93 'title': 'Authentication configuration',
94 'icon': 'sign-in',
95 'content': 'Review of login method, LDAP/AD, SSO, OIDC, SAML, MFA, user creation and group synchronization behavior.'
96 },{
97 'title': 'Permissions and visibility',
98 'icon': 'lock',
99 'content': 'Review of access rights, inheritance, restricted spaces, public pages, hidden assumptions and permission complexity.'
100 },{
101 'title': 'Configuration and deployment',
102 'icon': 'server',
103 'content': 'Review of configuration choices, deployment assumptions, reverse proxy setup, attachments, logs and operational risks.'
104 }])
Agnease 1.2 105 <section class="services" aria-labelledby="review-areas-title">
106 <div class="container">
107 <h2 id="review-areas-title">Common security review areas</h2>
108 <p class="section-intro">
109 The review focuses on practical XWiki security risks that can affect real production environments,
110 especially older instances, customized platforms and installations with complex access control.
111 </p>
112 <div class="services-grid">
Agnease 7.4 113 #foreach ($entry in $securityReviewAreaItems)
114 <article class="service">
115 <div class="service-icon" aria-hidden="true">
116 <i class="fa fa-$entry.icon"></i>
117 </div>
118 <div class="service-body">
119 <h4>$entry.title</h4>
120 <p>$entry.content</p>
121 </div>
122 </article>
123 #end
Agnease 1.2 124 </div>
125 </div>
126 </section>
127 ## REVIEW APPROACH
Agnease 7.4 128 #set ($securityReviewProcessItems = [{
129 'title': 'Review the current platform state',
130 'content': 'XWiki version, extensions, configuration, authentication, deployment model and known customizations.'
131 },{
132 'title': 'Assess access and rights',
133 'content': 'User groups, powerful rights, permission inheritance, public visibility and restricted content areas.'
134 },{
135 'title': 'Identify security-relevant risks',
136 'content': 'Version exposure, configuration issues, risky rights, outdated components or operational weaknesses.'
137 },{
138 'title': 'Prioritize recommended actions',
139 'content': 'Classify findings by practical impact and define realistic remediation steps.'
140 },{
141 'title': 'Plan follow-up improvements',
142 'content': 'Upgrade path, rights cleanup, authentication changes, extension updates or maintenance recommendations.'
143 }])
Agnease 1.2 144 <section id="security-review-process" class="split-section" aria-labelledby="process-title">
145 <div class="container">
146 <div class="split-grid">
147 <div class="split-copy">
148 <h2 id="process-title">A practical security review approach</h2>
149 <p>
150 The objective is to identify security-relevant risks that are specific to your XWiki setup, not to produce
151 a generic checklist. A useful review should consider the version, configuration, customizations, extensions,
152 users, groups and operational context together.
153 </p>
154 <p>
155 The review is handled carefully and responsibly. The goal is to provide actionable findings and safer
156 next steps without exposing sensitive vulnerability details unnecessarily or disrupting the production instance.
157 </p>
158 </div>
159 <ol class="process-list">
Agnease 7.4 160 #foreach ($entry in $securityReviewProcessItems)
161 <li>
162 <strong>$entry.title</strong>
163 $entry.content
164 </li>
165 #end
Agnease 1.2 166 </ol>
167 </div>
168 </div>
169 </section>
170 ## WHAT CAN BE INCLUDED
Agnease 7.4 171 #set ($securityIncludedItems = [{
172 'title': 'Version review',
173 'icon': 'refresh',
174 'content': 'Review of the current XWiki version, upgrade gap, supported version options and recommended upgrade path.'
175 },{
176 'title': 'Rights review',
177 'icon': 'key',
178 'content': 'Review of admin, programming, script, edit and view rights across important spaces and user groups.'
179 },{
180 'title': 'Authentication review',
181 'icon': 'sign-in',
182 'content': 'Review of LDAP, Active Directory, SSO, OIDC, SAML, MFA and user synchronization configuration.'
183 },{
184 'title': 'Findings report',
185 'icon': 'file-text-o',
186 'content': 'Practical summary of findings, risks, recommended actions and follow-up priorities.'
187 }])
Agnease 1.2 188 <section aria-labelledby="included-title">
189 <div class="container">
190 <h2 id="included-title">What can be included</h2>
191 <p class="section-intro">
192 The scope can be adjusted depending on the sensitivity of the instance, the age of the platform,
193 the number of users and the complexity of the configuration.
194 </p>
195 <div class="widgets">
Agnease 7.4 196 #foreach ($entry in $securityIncludedItems)
197 <article class="widget">
198 <div class="icon" aria-hidden="true">
199 <i class="fa fa-$entry.icon"></i>
200 <h4>$entry.title</h4>
201 </div>
202 <p>$entry.content</p>
203 </article>
204 #end
Agnease 1.2 205 </div>
206 </div>
207 </section>
208 ## IMPORTANT CONSIDERATIONS
Agnease 7.4 209 #set ($securityConsiderationItems = [{
210 'title': 'Responsible vulnerability handling',
211 'icon': 'eye-slash',
212 'content': 'Findings are communicated in a way that helps remediation without unnecessarily exposing exploit details.'
213 },{
214 'title': 'Risk-based prioritization',
215 'icon': 'balance-scale',
216 'content': 'Not all issues have the same impact. Recommendations are prioritized by practical exposure and business context.'
217 },{
218 'title': 'User and group complexity',
219 'icon': 'users',
220 'content': 'Directory synchronization, group mappings and rights inheritance can create hidden access-control risks.'
221 },{
222 'title': 'Custom code and scripting',
223 'icon': 'code',
224 'content': 'Custom applications, Velocity scripts, macros and extensions may require review when they affect security-sensitive behavior.'
225 },{
226 'title': 'Upgrade as remediation',
227 'icon': 'refresh',
228 'content': 'In many cases, the most effective security improvement is a controlled upgrade to a supported XWiki version.'
229 },{
230 'title': 'Actionable next steps',
231 'icon': 'check-square-o',
232 'content': 'The review should lead to clear remediation actions, not only a list of theoretical concerns.'
233 }])
Agnease 1.2 234 <section class="services" aria-labelledby="considerations-title">
235 <div class="container">
236 <h2 id="considerations-title">Important considerations</h2>
237 <p class="section-intro">
238 A security review should be practical, careful and aligned with the way the XWiki instance is actually used.
239 The purpose is to reduce risk, not to create unnecessary disruption or expose sensitive information.
240 </p>
241 <div class="services-grid">
Agnease 7.4 242 #foreach ($entry in $securityConsiderationItems)
243 <article class="service">
244 <div class="service-icon" aria-hidden="true">
245 <i class="fa fa-$entry.icon"></i>
246 </div>
247 <div class="service-body">
248 <h4>$entry.title</h4>
249 <p>$entry.content</p>
250 </div>
251 </article>
252 #end
Agnease 1.2 253 </div>
254 </div>
255 </section>
256 ## RELATED SERVICES
Agnease 7.4 257 #set ($relatedSecurityServiceItems = [{
258 'title': 'XWiki Upgrade Services',
259 'url': 'services.xwiki-upgrades',
260 'content': 'Safe LTS upgrades with staging validation, compatibility checks, rollback planning and post-upgrade verification.',
261 'linkLabel': 'View upgrade services'
262 },{
263 'title': 'Authentication & Access Control',
264 'url': 'services.xwiki-authentication-access-control',
265 'content': 'LDAP, Active Directory, SSO, OIDC, SAML, MFA, group synchronization and permissions support.',
266 'linkLabel': 'View access control services'
267 }])
Agnease 1.2 268 <section class="resource-strip" aria-labelledby="related-title">
269 <div class="container">
270 <h2 id="related-title">Related XWiki services</h2>
271 <p class="section-intro">
272 Security review often connects naturally with upgrades, maintenance and access-control improvements.
273 </p>
274 <div class="resource-grid">
Agnease 7.4 275 #foreach ($entry in $relatedSecurityServiceItems)
276 <article class="resource-card">
277 <h4>$entry.title</h4>
278 <p>$entry.content</p>
279 <a href="$xwiki.getURL($entry.url)">$entry.linkLabel</a>
280 </article>
281 #end
Agnease 1.2 282 </div>
283 </div>
284 </section>
285 ## CTA
286 <section class="cta-section" aria-labelledby="cta-title">
287 <div class="container">
288 <div class="cta-panel">
289 <h2 id="cta-title">Need a security review for your XWiki instance?</h2>
290 <p>
291 Send your current XWiki version, hosting model, authentication setup, approximate user/group structure
292 and any specific security concerns you want to address. A short description is enough to start the review.
293 </p>
294 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
295 </div>
296 </div>
297 </section>
298 {{/html}}
299 {{/velocity}}