The following are best practices that should be used when deploying Liferay to production.
Upgrade Liferay Portal #
Upgrade to the latest available version of Liferay Portal. Each release contains the latest security fixes and improvements.
Security Patches #
Deploy all available security patches. Security patches are made published by the Community Security Team for the latest version of Liferay Portal.
For EE users, security patches are available in the Downloads section of the Customer Portal.
XSL Portlet #
Do not give permission to untrusted users to add the XSL Portlet to a page (alternatively, just disable the portlet). Due to the nature of XSL transformation, it is possible to use the XSL to access the system.
- Set "json.web.service.enabled" to "false" if you are not using JSON web services.
- Set "omniadmin.users" so that users with the Administrator role do not automatically have the Omniadmin role. Omniadmin users have access to the portal's core functionality (gc, shutdown, etc).
- Do not set "redirect.url.domains.allowed" and "redirect.url.ips.allowed" to blank. Setting these property to blank will allow a phisher to redirect users to a different site.
- Do not set "session.enable.phishing.protection" to "false".
- setting "session.store.password" to "true" make passwords visible in heap dumps
- Set "request.header.auth.import.from.ldap" to "true" only if you have a proper IDM removing the header from client requests
- Setting "ldap.import.user.password.enabled" to "false" and "ldap.auth.required" to "false" gives access without password.