Skip to content
← Turn your feedback into functionality

CMS PaaS (Content Management System)

CMS PaaS (Content Management System)

Categories

JUMP TO ANOTHER FORUM

(thinking…)

Welcome! 👋

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback

7 results found

  1. Implement SRI attributes for injected JavaScript & Styles

    The Optimizely PAAS CMS platform has multiple touchpoints where scripts are injected into the frontend UI. Examples include Optimizely Forms, Content Recommendations, Search & Navigation etc.

    When these scripts are injected into the UI, they are not added with a Sub-resource Integrity attribute. An SRI check allows us to instruct the browser that it should not load a tampered version of a JS or CSS file and can protect users from man in the middle attacks. You can read more about SRI here: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

    This is a commonly reported issue in penetration tests and clients are becoming increasingly more security…

    10 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    New  ·  0 comments  ·  Security & Compliance  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

  2. Use more secure ciphers by default

    When performing a security check for a DXP site on internet.nl the result is that "Your web server does not prefer 'Good' over 'Sufficient' over 'Phase out' ciphers" and "Your web server supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.".

    I suggest that more secure ciphers should be used on all DXP sites by default. The more secure ciphers are referred to as "Modern", "Compatible", and "Legacy" in the cloudflare documentation. https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/

    6 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    Gathering Feedback  ·  1 comment  ·  Security & Compliance  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

  3. Redirect page after expiration

    It would be great if it is possible te set a redirection (just like in the no-found handler) when a page is expired and is replaced by another page in the website. This would make the process much more user-friendly.

    3 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    New  ·  0 comments  ·  Security & Compliance  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

  4. Security

    We are currently using Anglian water Optimizely CMS 11 and to strengthen our bot mitigation capabilities, we would like to implement Cloudflare Bot Management, including fingerprinting mechanisms for advanced bot detection.
    We understand that fingerprinting is a separate product offered by Cloudflare and is not currently included in the Optimizely DXP offering.

    We are requesting your Implement to:

    1. Implement Cloudflare Bot Management within our existing Optimizely CMS 11 setup.
    2. Integrate fingerprinting mechanisms to enhance bot detection and protection. 3.Configure real-time anomaly detection to throttle traffic from suspicious ASNs or geolocations.
    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    New  ·  0 comments  ·  Security & Compliance  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

  5. Please use more secure ciphers by default

    When performing a security check for a DXP site on internet.nl the result is that "Your web server does not prefer 'Good' over 'Sufficient' over 'Phase out' ciphers" and "Your web server supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.".
    I suggest that more secure ciphers should be used on all DXP sites by default. The more secure ciphers are referred to as "Modern", "Compatible", and "Legacy" in the cloudflare documentation. https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/

    2 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    Committed  ·  0 comments  ·  Security & Compliance  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

  6. Potential security risk in <Import Data> feature

    The file upload used in the [Import Data] feature in the Settings interface does not limit the file extensions to .episerverdata only. Other file extensions can be uploaded (including files in a zipped file, which may pose security threat to the platform. Specially, when uploading a zipped antivirus test file, the system will display <Import successful>.
    Allowing an undesirable or malicious file to reside on a system—even if it is not immediately executed or processed—constitutes a security vulnerability in itself. "Unrestricted upload of file with dangerous type" is formally documented as a common weakness under CWE-434, highlighting that simply permitting…

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    Research & Design  ·  0 comments  ·  Security & Compliance  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

  7. Web page listing security bulletins for Optimizely products

    We would like a single point of truth for identified security issues so that we can support our clients.
    Ideally this would include affected products/versions as well as suggested patches or remedies.
    Ideally this would include all Optimizely products, not just CMS or Commerce.

    16 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    Gathering Feedback  ·  0 comments  ·  Security & Compliance  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
  • Don't see your idea?