Securing Tridion Sites
Tridion Sites supports a wide range of security frameworks to secure every part of its architecture.
- Supported authentication methods
Tridion Sites supports various authentication methods across the product suite, including Tridion Access Management. For supported applications, you can use Access Management to configure authentication using your choice of Identity Provider (IdP) and authentication protocol. - Note about database passwords
Depending on the specific database you are securing, avoid the use of special characters in your database passwords. - Using Tridion Access Management
Tridion Access Management (or simply Access Management) provides a single, simplified interface for managing access for end users, applications and APIs. - Content Manager security
Ensuring the security of your Content Manager environment is a broad topic that involves configuring and managing security settings for the server-side environment, secure access to the database, and the client-side access and permissions for individual applications. - Add-ons feature security
By default, the Add-on service is installed without security, meaning that any user can perform any operation using the user interface or API. While this may be acceptable in a development environment, in a production environment, RWS strongly recommends that you restrict access to the service. The Add-on service can be accessed by users with different roles, to provide varying levels of access. - Experience Optimization security
This section describes the Experience Optimization subsystems and services and the rights and privileges each part requires. - Topology Manager security
By default, Topology Manager is installed without security, meaning that any user can perform any operation using the user interface or API. While this may be acceptable in a development environment, in a production environment, RWS strongly recommends that you restrict access to the service. Topology Manager can be accessed by users with different roles, to provide varying levels of access. - Translation Manager security
By default, Translation Manager is installed without security. While this may be acceptable in a development environment, in a production environment, RWS strongly recommends that you implement security measures. - Content Delivery security
This section describes the subsystems and services of Content Delivery, the default user accounts used to access and run these subsystems, and the minimal rights, privileges and/or permissions required by an account to operate a subsystem. - Securing Tridion Sites web interfaces against CSRF
Several of the web-based user interfaces in Tridion Sites communicate with a server-side UI framework, including the Content Manager Explorer and Experience Manager. To guard these UIs against cross-site request forgery (CSRF), configure anti-CSRF security on the Content Manager server. - References and links
For information on security in general, refer to the following resources.