Securing publicly deployed Liferay - pavelfomin/liferay-clues GitHub Wiki

If the Liferay is deployed as a public web site and you want to protect it from the malicious modifications from outside of your firewall then you probably want to make several configuration changes to make your installation more secure. The assumption is that you don't need to manage the web site content from outside of your firewall.

Disable the login functionality by removing the login portlet from all of your public pages and setting the following properties as well to disable the auto-login:

auth.login.url=/
default.landing.page.path=/
session.timeout.warning=0

You could then create a specific public page with a login portlet on it (i.e. myliferaylogin) and block the access to that page from the outside in your proxy server.

For addition security, consider blocking api, xmlrpc and webdav that can be used to modify the content of the Liferay remotely. The URI list to block from outside:

• /api
• /webdav
• /xmlrpc
• /myliferaylogin

By default, Liferay adds the Liferay-Portal response header:

Liferay-Portal:Liferay Portal Enterprise Edition 6.2.10 EE GA1 (Newton / Build 6210 / November 1, 2013)

This behavior is controlled by http.header.version.verbosity parameter. The documentation lists two values full and partial. However, if ReleaseInfo.getName() is used as the value of the http.header.version.verbosity property then HTTP header is omitted completely:

http.header.version.verbosity = Liferay Portal Enterprise Edition