Cosmos is designed for the Azure cloud, leveraging its performance capabilities and advanced security features such as firewall and CDN integration, along with single sign-on and MFA. This article outlines things you can do to ensure your Cosmos website is more secure.
Note: Most of the practices mentioned below are applicable to nearly any Azure App Service, not exclusively Cosmos.
If you need help implementing any of the following, please contact us! We are here to help.
When Cosmos is installed, it needs to create the database and storage objects necessary for it to work. Disabling this not only hardens your security, but it is also required if switching to password-less connections. Moreover, it speeds up Cosmos startup time.
Using the Azure Portal, open the “Environment variables” for the editor App Service. Edit the variable “CosmosAllowSetup” and set it to “false”.
Stop, wait several seconds, then start your Editor App Service.
A notable feature of Cosmos is its built-in ability to connect components, such as connecting the web apps to Cosmos DB or Azure Storage, using "password-less" authentication, which enhances security within the Azure ecosystem. Moving to password-less connections can offer several benefits:
For more information, see this article showing on how to convert Cosmos to use the key-based or password-based connections to password-less, or “managed identity” connections for Azure Storage and Cosmos DB.
Azure Virtual Network (VNET) offers a robust layer of security for website hosting by enabling secure and private communication between Azure resources. VNET allows you to isolate your web apps and services within a private network, ensuring that they are protected from unauthorized access. It provides advanced security features like network security groups (NSGs), which allow you to control inbound and outbound traffic to your resources, and Azure DDoS Protection, which safeguards your applications from distributed denial of service attacks. With VNET, you can also create virtual appliances like firewalls to further enhance your security posture. Overall, Azure VNET empowers you to build a highly secure, compliant, and resilient network infrastructure for your web applications.
See the Microsoft article on setting up a VNET.
A Web Application Firewall (WAF) enhances your website's security by filtering and monitoring HTTP/HTTPS traffic between a web application and the internet. It acts as a shield, protecting against common threats such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). WAFs operate by inspecting incoming traffic and blocking malicious requests before they reach the server, ensuring that your web applications remain secure and functional. This layer of defense is particularly crucial in safeguarding sensitive user data and maintaining the integrity of your web applications. By using a WAF, you can significantly reduce the risk of data breaches and cyber-attacks, ensuring a safer online experience for your users.
Cosmos was built to work with Azure Front Door and Sucuri Firewall/CDN. See these articles on how to implement each.
Cosmos comes with built in OAuth support for Google and Microsoft, and for the publisher it also comes with built-in support for Microsoft's Entra ID B2C. Cosmos can be easily extended to allow login with nearly a 100 more providers including: Apple, GitHub, and Okta. You can also disable local website accounts that log in with Email.
Logging in with an OAuth provider such as Microsoft or Google offers substantial security benefits over local web accounts with email. These platforms employ robust multi-factor authentication (MFA) and advanced threat detection systems to safeguard user identities. By using a single sign-on (SSO) with these trusted providers, users benefit from their rigorous security protocols, including encryption, regular security updates, and real-time monitoring for suspicious activities. Additionally, centralizing authentication through Microsoft or Google reduces the risk of credential theft and phishing attacks, since these platforms are better equipped to detect and prevent such threats. In essence, leveraging their sophisticated security frameworks ensures a safer and more streamlined user experience across multiple web applications.
See our article about setting up login with Google or Microsoft for more information.
The Editor App Service is designed for creating and managing content on your Cosmos site, while the Publisher App Service hosts the website for your audience. The Publisher primarily supports read-only access, and the Editor is for modifying content. Best practices suggest restricting access to the Editor as much as possible. This can be achieved by configuring the Editor App Service, or the Web Application Firewall if it's in use, to permit connections only from a specific set of known IP addresses. This requires your web developers or content managers to have IP addresses that do not change--also known as “static IP addresses.”
If their addresses change, an alternative method is to acquire a VPN with a private or dedicated IP, and then grant access to those IP(s) for your Editor.
For more information please see the following:
Storing Azure App Service secrets in Azure Key Vault brings numerous security and management advantages. It serves as a centralized and secure storage for sensitive information such as API keys, passwords, and connection strings, safeguarded with industry-standard encryption. Azure Key Vault reduces the risks of accidental exposure or unauthorized access through detailed access control and audit trails, providing transparency over who accessed which secrets and when. Additionally, integrating Key Vault with App Service simplifies secret management, allowing applications to securely fetch secrets on demand, eliminating the need to embed them directly in the code.
For more information see our article on Setting up Azure Key Vault.