Security testing

These guidelines provide a high-level overview of the tasks that should be performed to secure the network and network services through controls such as segregation of networks, network service level agreements, and other network controls that apply to the environment.

Network security testing

Sitecore Content Hub™ or a reputable third-party provider should perform network security penetration testing on the customer-hosted instance using an industry-standard methodology and review the report.

To check network security:

  • Verify that the network traffic generated by the customer’s instance is protected from tenant port scanning and packet sniffing.

  • Perform a network security penetration test every six months at a minimum and after a significant change has been made to the system. Review the executive summary of the results of the network security penetration tests.

  • Perform at least one external network security penetration scan annually and provide these findings to Sitecore® for response and remediation.


For more information, see Cloud and network security.

Application security testing

Content Hub or a reputable third-party provider should perform application security penetration testing using an industry-standard methodology and review the report.

To check application security:

  • Perform the application security penetration test at least once annually or after a significant change has been made to the system. Review the executive summary and detailed report. Sitecore Content Hub provides documentation about the software quality assurance and software development lifecycle for the application.

  • Perform an application security penetration assessment annually and provide findings to Sitecore for response and remediation.

Third-party security testing

Third-party application interoperability is defined as accessory hosted applications that use APIs to act on data hosted by Content Hub.

For third-party security testing, Content Hub:

  • Allows superusers to control if OAuth or other API access is allowed on a per-application, per-user basis, and to restrict the types of content accessed through the API.

  • Provides superusers with the ability to create time-sensitive access control criteria for third-party applications. Any actions taken by a third-party application are logged. The log contains an identifier to the application and the user context the application was authorized under in addition to the standard log data requirements.

Data loss prevention

To prevent the loss of data, Content Hub:

  • Uses a firewall that does not permit the application to send traffic with a source IP or MAC address other than its own.

  • Supports PaaS/IaaS volume-level encryption to protect data against snapshot cloning or protect each piece of content.

  • Has robust data loss prevention mechanisms, including database and file activity monitoring, traffic, and usage baselining and alerting of traffic spikes above a defined threshold or a provider-determined baseline.

Transport layer protection

The Content Hub cloud service platform uses Transport Layer Security (TLS) for user authentication, credentials, and data transfer. Secure Sockets Layer (SSL) v3 is disabled.


Certificates are not self-signed and do come from established and reliable independent Certificate Authorities (CA). Strong ciphers are used, and the key management process is documented.

Can we improve this article ? Provide feedback