Our blog contains the activity stream of Orchard Dojo: general news, new resources or tutorials are announced here.

Featured tags

IIS
API
SMS
All tags >

Dynamic index tables, allow any user to manage two-factor authentication - This week in Orchard (28/06/2024)

Allow any user to manage two-factor authentication, show recipe error instead of throwing an exception, and a demo about Dynamic index tables are the topics for the week. You can still apply to speak at Harvest 2024 and share your insights on Orchard Core's future, CMS roles, AI tools, cloud integrations, and more! Let's see the details! Orchard Core updates Allow any user to manage two-factor authentication Two-factor authentication (2FA) is now available for all users. Previously, only users with permission to access the admin area could set up their 2FA methods, although all users could still use 2FA if it was set up by an admin. To enable this change, the method IsRequiredAsync() in both the ITwoFactorAuthenticationHandlerCoordinator and ITwoFactorAuthenticationHandler interfaces has been updated to IsRequiredAsync(IUser user). Summary of changes The feature OrchardCore.Users.EmailConfirmation was removed. This feature was recently added and was enabled by dependency only. Its services have been moved up to the OrchardCore.Users feature since it is a core functional and needed by OrchardCore.Users. Using the 2FA email method now requires email confirmation using the existing email confirmation process. As mentioned, the method IsRequiredAsync() in both the ITwoFactorAuthenticationHandlerCoordinator and ITwoFactorAuthenticationHandler was changed to IsRequiredAsync(IUser user). OK, so, what does it look like in action? First of all, you have to make sure that you have at least one two-factor authentication method enabled. To do that, you have to navigate to Configuration -> Features and enable the regarding features. We enabled two modules: Two-Factor Authenticator App Method: Provides users with a two-factor authentication method through any Authentication App. Two-Factor Email Method: Provides users with a two-factor authentication method through an Email service. Orchard Core provides a third two-factor authentication method through an SMS service but these two will be enough for demonstration. After that, we need to have a user without any special roles. We created a user under Security -> Users, where we used John as the user's name. Make sure that this user is enabled to be able to log in as John. The last thing we have to do is to make sure that the Default Theme is the current site theme because that theme renders the navbar by default and includes the dropdown with the Security-related settings. And as you can see in the screen below, we logged in as John. If you click Security on the dropdown menu that we mentioned earlier, you may notice that John can enable the two-factor authentication by adding one of the below two-factor methods. The SMS is not here, because we have only enabled the App Method and the Email Method features. Show recipe error instead of throwing an exception Currently, when importing a recipe and something goes throw, implementations of IRecipeStepHandler or IRecipeEventHandler will throw exceptions to report errors if something fails to import. In a production environment, the user gets a white page, which leaves them lost on what had happened. This is no longer the recommended approach for error reporting. Now, to handle errors, we have introduced a new property named Errors in the RecipeExecutionContext. This property allows you to log errors instead of throwing exceptions. These errors should be localized and must not contain any sensitive data, as they are visible to the end user. Exceptions are still used for logging additional information, but these are not shown to the end user. Additionally, if an error occurs, a new custom exception, RecipeExecutionException, is thrown. Let's say you want to import a deployment package or import JSON from text. Assume that the JSON contains some errors in both cases. Here, you can see that Orchard Core shows the error to the user so they have feedback instead of dumping an exception or a white page. And the same applies if you want to execute a recipe that contains errors. Demos Dynamic Index Tables When using YesSql index tables, you have to build these index tables using code. This solution provides you with a way to build index tables without the need to write code. Using the admin UI, you can select the content type you want to index and you can add the table columns using a nice UI. You can also use a script to execute to build the column value mapping. Here, you can return how you wanted to be your content item indexed. In the screen below, you can see the index table for the content type called Comic Book. In the Map Script editor, we defined what we should need to return when retrieving the values inside the DisplayText, IssueVolumeNumber, and ReleaseDate columns. After that, if you do a SELECT * query for this index table, you may notice that the table contains the columns defined in the previous step. And it's just the top of everything this feature offers. If you are curious about the details, check out this demo video on YouTube for more! News from the community Orchard Harvest 2024 date and location Get ready to power up your Orchard skills at Orchard Harvest Conference 2024! Join us on September 12th-13th at the Orleans Hotel and Casino in lively Las Vegas for two days packed with learning, coding, and community fun. What can you expect at Orchard Harvest Conference 2024? Hands-On Workshops: Elevate your coding game with interactive sessions led by industry experts. Insider Insights: Learn best practices, advanced techniques, and real-world insights from qualified developers. Global Connections: Connect with fellow enthusiasts, exchange ideas, and forge meaningful relationships within the Orchard community. Special Perks: Participants get exclusive discounts on accommodations at the Orleans Hotel and Casino. Can't wait until September? Check out recordings from last year's special online Orchard Harvest on our YouTube channel here. Ready to be a part of something extraordinary? Reserve your spot today and take advantage of early-bird pricing at Orchard Harvest Conference 2024. We also opened the registration form for the speakers: https://forms.office.com/e/fewh7hh20d This year's leading themes: Leading up to a v3.0, what will the future Orchard Core look like? What's the role of a CMS nowadays (with the decoupled/headless operating models, and AI development tools) Explore some advanced topics such as Shapes, Placements, Cloud Integrations, Performance, module extensibility, etc. Showcases on implementing Orchard Core in action. We've extended the sign-up period by another 2 weeks, so if you haven't signed up yet, you can still sign up now! Apply to be a speaker until the 29th of June, midnight Anywhere on Earth! We'll notify you whether your talk is selected for Harvest in 1 or 2 weeks after the application period. The chosen speakers will receive complimentary tickets for the event. Want to support our mission? Become a sponsor! Reach out to us at [email protected] or [email protected] to explore sponsorship opportunities. Secure your spot today and get ready to level up your skills at Orchard Harvest Conference 2024! See you there! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 473 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Orchard Harvest 2024 date and location, Playwright Testing - This week in Orchard (17/05/2024)

Configure the Token provider from the corresponding provider, release notes about SectionDisplayDriver breaking changes, demo about Playwright Testing, and the registration for the Orchard Harvest 2024 conference is now open! Oh, and don't forget to join our next Orchard Core Pair Programming session! Let's see the details! Orchard Core updates Configure the Token provider from the corresponding provider Enhanced functionality has been implemented, allowing developers to control the expiration time of different tokens, such as those for password reset, email confirmation, and email change, which are sent through the email service. You may change the default values of these options by using the services.Configure<> method. For instance, to change the EmailConfirmationTokenProviderOptions you can add the following code to your project: services.Configure<EmailConfirmationTokenProviderOptions>(options => options.TokenLifespan = TimeSpan.FromDays(7)); Here you can see the EmailConfirmationIdentityOptionsConfigurations class that utilizes the EmailConfirmationTokenProviderOptions. Release notes about SectionDisplayDriver breaking changes In the past, we had a Display Drivers validation issue, which means that the drivers should always return an updated model for displaying proper data even if the model has failed to validate. As you can read in the release notes of the upcoming version, in the upcoming release, the signatures of the UpdateAsync() method within the SectionDisplayDriver base class have undergone modifications. Previously, these signatures accepted the BuildEditorContext parameter. However, with this update, all signatures now require the UpdateEditorContext instead. This alteration necessitates that every driver inheriting from this class adjusts their contexts accordingly. On this screen, you can also see the updated signatures. Demos Playwright Testing The OrchardCoreContrib.Testing repository provides a set of APIs to test the Orchard Core applications. The goal of this repository is to test out the integration with Playwright. Playwright Test was created specifically to accommodate the needs of end-to-end testing. Playwright supports all modern rendering engines including Chromium, WebKit, and Firefox. Test on Windows, Linux, and macOS, locally or on CI, headless or headed with native mobile emulation of Google Chrome for Android and Mobile Safari. If you head to YouTube, you can see a video with some sample tests as well, like how we can open a web page by creating a Playwright instance and choosing the browser, which could be Chromium, Firefox, or Webkit. After that, we must launch the browser to get the instance. Now, we can create a new page and go to this page. Here, we can check the title of the page or the inner HTML, etc. Head to the demo video mentioned to see how you can implement more complex tests using Playwright! News from the community Orchard Harvest 2024 date and location Get ready to power up your Orchard skills at Orchard Harvest Conference 2024! Join us on September 12th-13th at the Orleans Hotel and Casino in lively Las Vegas for two days packed with learning, coding, and community fun. What can you expect at Orchard Harvest Conference 2024? Hands-On Workshops: Elevate your coding game with interactive sessions led by industry experts. Insider Insights: Learn best practices, advanced techniques, and real-world insights from qualified developers. Global Connections: Connect with fellow enthusiasts, exchange ideas, and forge meaningful relationships within the Orchard community. Special Perks: Participants get exclusive discounts on accommodations at the Orleans Hotel and Casino. Can't wait until September? Check out recordings from last year's special online Orchard Harvest on our YouTube channel here. Ready to be a part of something extraordinary? Reserve your spot today and take advantage of early-bird pricing at Orchard Harvest Conference 2024. We also opened the registration form for the speakers: https://forms.office.com/e/fewh7hh20d This year's leading themes: Leading up to a v3.0, what will the future Orchard Core look like? What's the role of a CMS nowadays (with the decoupled/headless operating models, and AI development tools) Explore some advanced topics such as Shapes, Placements, Cloud Integrations, Performance, module extensibility, etc. Showcases on implementing Orchard Core in action. Apply to be a speaker until the 15th of June, midnight Anywhere on Earth! We'll notify you whether your talk is selected for Harvest until the end of June. The chosen speakers will receive complimentary tickets for the event. Want to support our mission? Become a sponsor! Reach out to us at [email protected] or [email protected] to explore sponsorship opportunities. Secure your spot today and get ready to level up your skills at Orchard Harvest Conference 2024! See you there! Building a Content Warning Module with Drew Brasher - Orchard Core Pair Programming by Lombiq We'll have the third session of Orchard Core Pair Programming by Lombiq! In these, we do an hour of pair programming with an Orchard Core community member about a project of theirs. We learn together a lot, share best practices, and write some good code. All this is live, and you can join us with your questions! Here, you can find the previous pair programming sessions, and here, you can find the stream for the upcoming one! See you at 5 PM UTC on the 21st! (On a Tuesday due to Whit Monday in Europe.) This time, Drew Brasher will join us with a Content Warning Module project that she started in this discussion. We'll start with at least a scaffolding of the module, take the following blog post as a guideline, and then build it from there. Your host and the "navigator" of the pair programming session will be Zoltán István Lehóczky. Would you like to be our guest? Just let us know! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 471 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Secure Media feature, add a way to hide ContentTypeDefinitionSettings - This week in Orchard (19/04/2024)

Consolidate admin required fields, add a way to hide ContentTypeDefinitionSettings, and a demo about the brand-new Secure Media feature! Let's see the details! Orchard Core updates Consolidate admin required fields Content fields and some parts added to a content type can be set as required, but there is no visualization before submitting changes. The validation error messages for required fields have inconsistent text messages (some contain a dot at the end, some don't, some are using '' for value, and some have explicit value names in the text. Also, validation error messages are included in the validation summary only, and not under the required field, but for example, in TitlePart everything is correct. All error messages should be written in the same format and text, for example: Please add value for '{0}'. At least some CSS class should be added on all required field labels to be able to identify required fields in the content item form and required validation messages should be displayed under each validated field. As you can see in the screen below, the community consolidated the admin required fields by making the following steps: Add star char for all required fields. Add validation message for required input field like in TitlePart. Consolidated color for start and validation error messages. Consolidated error message texts. Removed client validation from inputs because of inconsistent form behavior dependent on the used browser, selected locale, etc. Add a way to hide ContentTypeDefinitionSettings The intention behind this change was to add a configuration to show/hide the creatable, listable, draftable, versionable, and securable flags. We have a new ContentTypeDefinitionDriverOptions class which contains boolean values that you can use to show or hide the creatable, listable, draftable, versionable, and securable options when editing the content definition of a content type on the admin UI. The ContentTypeDefinitionOptions class offers a method for configuring content type definitions to either display or conceal global settings from appearing on the UI. In certain cases, like when creating CustomSettings or CustomUserSettings, these options are useless. So, it would be nice to hide them instead since they do nothing. So, to quickly demonstrate this change, we enabled the Custom User Settings feature under Configuration -> Features. After, we navigated to Content -> Content Definition -> Content Types and created a new content type called UserProfile. We added some fields to it and set the stereotype to CustomUserSettings to be able to use this content type as a custom user setting. As you can see, only the Securable checkbox is here, we can't set the other content type definitions like creatable, listable, etc. And the reason for that is in the Startup.cs file of the OrchardCore.Users module, we set up the boolean values of the ContentTypeDefinitionDriverOptions class where the stereotype is CustomUserSettings. But we haven't touched the value of the ShowSecurable, so it can be kept its true value. Demos Secure Media feature This demo is about the brand-new Secure Media feature for additional control over who can access media files. The key features include: Restricted Access to Media Folders: A view permission is created for the root media folder and each first-level folder within the media root, allowing administrators to restrict access based on user roles. Enhanced Viewing Permissions: Introduces permissions to view one's own media files and/or those of others, expanding upon the existing ManageOwnMedia permission. Consistent Access Rules for Media and Content Items: Media attached to content items will adhere to the ViewContent permission of the respective content item. This alignment ensures consistent access rules between media and content items. Protection for Temporary Attached Media Files: Secures temporary attached media files in a manner similar to personal user files. Improved Management Permissions in Admin: Refines the manage media permissions to allow media management only when viewing permissions are also granted. This prevents users from managing media they cannot view. Additionally, the creation and deletion buttons in the admin interface are disabled for folders that are not accessible post-creation or for special folders like "_Users" and "mediafields". Handling Unauthorized Access: Introduces a middleware that returns a 404 NotFound response for unauthenticated access attempts to secured media files. This approach not only restricts access but also conceals the existence of the file. Configurable Cache-Control for Secured Files: Sets the Cache-Control header of secured files to no-store by default, preventing their caching. This setting is configurable to suit different needs. Bearer Token Authentication for API Access: Enables bearer token authentication for media files, aligning with Orchard Core's API capabilities. This feature is particularly useful for headless CMS scenarios and external application integrations. We will not do a deep dive here but will try to demonstrate some of the mentioned features. First of all, you need to enable the feature itself by heading to Configuration -> Features where you will find the Secure Media feature. After enabling it, let's add a new folder to the root of the media library under Content -> Media Library. We named it secure and placed a file into this library. Now, let's navigate to Security -> Roles, and find a section called Secure Media. By default, everyone can see everything, so nothing will change if you enable the feature. It's currently only using the root folder and the first folder level; this means you can only have one tier of secured media folder. And as you can see here, you can define who can view media content in our newly created folder, called secure. Now let's play a little bit with the permissions and say that Anonymous users and Editor users don't have permission to view media content inside the secure folder. To test this out, we created a new user with the Editor role and logged in with this user. Head to the admin UI of Orchard Core and open up the Media Library. As you can see, this user can't see the folder called secure and can't access the files inside the folder. As always, if you want to see more about this new feature, head to YouTube for a recording! News from the community Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 471 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Orchard Core 1.8.2, migrate the OpenID module to OpenIddict 5 - This week in Orchard (19/01/2024)

Migrate the OpenID module to OpenIddict 5, fixing FormatException when the login screen is posted with values other than true/false for RememberMe, and announcing Orchard Core 1.8.2! Without any further ado, let's get started! Orchard Core updates Migrate the OpenID module to OpenIddict 5 This is about updating the OpenID module to use OpenIddict 5.0, which shipped in December. With OpenIddict 5.0 being now generally available, the previous version, OpenIddict 4.0, stops being supported and won't receive bug fixes or security updates. As such, it is recommended to migrate to OpenIddict 5.0 to continue receiving bug and security fixes. So, this change reacts to the breaking changes introduced by this new major version by adding new store methods are updating the ones whose signature has changed. Note that while OpenIddict 5.0 supports new features, this change doesn't expose them via the Orchard Core admin UI. If you want to know more about the latest version of OpenIddict, check out this great post from Kévin Chalet! Fixing FormatException when the login screen is posted with values other than true/false for RememberMe If on the login screen, any non-boolean value (e.g., "1", "cicaisahungarianword") is set for the RememberMe input field, then you'll get an exception. This is of course not what a normal user would do, but is surfaced by the pentest attacks of Zed Attack Proxy (ZAP). This is a very popular open-source project, which is a security scanner. It can check your application for security issues. If you don't know ZAP and would like to know more about it, check out our post from last month, where you can learn more about it. So, adding input validation here would be necessary to avoid 500s. And you can easily reproduce this issue by following these steps: Go to /Login. Set the value attribute of RememberMe to anything but "true" or "false" from e.g., the Dev Tools of Google Chrome. Tick the checkbox. Click Log in. See the HTTP 500 error page. From now on, a validation error appears instead of a 5xxx one. News from the community Orchard Core 1.8.2 Orchard Core 1.8.2 was released a few days after the 1.8.1 one to address two issues of the 1.8.1 release. The first issue was that the admin language switcher (admin culture picker) was not working. It stayed in the same language regardless of what you chose. The second is about fixing the display name of the content fields. Let's just add a boolean field to a content type as follows. Let's use the name MyBooleanField as the technical name and My Boolean Field as the display name. As you can see in the screen below, the Display Name was equal to the Technical Name. If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the newest released version of Orchard Core! Upgrade your solution to 1.8.2 now! Feel free to drop on the dedicated Gitter chat or use the Discussions on GitHub and ask questions! As we mentioned, Orchard Core is available as a NuGet package which you can easily add to your ASP.NET Core solution. Here's how you can get started with Orchard Core. Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 480 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Introducing ConfigureAsync method, Security scanning with ZAP in the Lombiq UI Testing Toolbox - This week in Orchard (22/12/2023)

Introducing ConfigureAsync method and the IAsyncConfigureOptions interface, demo about Security scanning with ZAP in the Lombiq UI Testing Toolbox, and some photos of our Christmas event! Let's see the details! Orchard Core updates Introducing ConfigureAsync method In the Startup files, you can use the Configure method to configure the tenant pipeline. Now, if you implement the IAsyncStartup interface, you will be able to configure the tenant pipeline asynchronously by using the new ConfigureAsync method. This means the initialization of the tenants will be much faster in the future in a SaaS environment. Here, you can see an example of how to use this method in the Startup file of the Localization module, where we don't need to call the GetAwaiter() and the GetResult() methods when getting the default culture and the supported cultures. IAsyncConfigureOptions interface In this PR, Jean-Thierry Kéchichian introduced the IAsyncOptions and IAsyncConfigureOptions<TOptions> interfaces that can be used globally across your Orchard Core solution. The IAsyncConfigureOptions can be used to configure asynchronously a type of options just after a tenant container is created, and the IAsyncOptions marks a type of option intended to be registered as a singleton and configured asynchronously by an IAsyncConfigureOptions<TOptions> just after a tenant container is created. For example, here the BlobOptions will be registered once as a singleton and configured asynchronously once by BlobOptionsSetup.ConfigureAsync() just after a tenant container is created using this single line of code: services.Configure<BlobOptions, BlobOptionsSetup>(). Demos Security scanning with ZAP in the Lombiq UI Testing Toolbox Maybe you have already heard about the Lombiq UI Testing Toolbox, our web UI testing toolbox mostly for Orchard Core applications. Everything you need to do UI testing with Selenium for an Orchard app is here. We wrote about it several times here as well, first when we open-sourced it, when we added some Orchard Core Features tests to it when we added the automated monkey testing feature to it, and when we introduced the Visual verification testing. At the end of last year, we showed you the latest updates about integrating UI testing into Orchard Core and the way you can use WebApplicationFactory, a fake video capture source, or the interactive mode. This time, we will check out a slightly different topic, security scanning! Of course, security is important, you don't want your web app to be used for spamming or cryptocurrency mining, or you don't want your users' data to be lost or get into the hands of others. So, you want to secure your application. There are many layers to that, and many layers to enforcing or ensuring your application is secure including manual reviews and static code analysis. Another layer is penetration testing. It means that somebody going to your application and trying to break it in some way, get into it in a way that they shouldn't be able to. Pen testers use some tools, and one of the most widely used tools is the Zed Attack Proxy (ZAP). This is a very popular open-source project, which is a security scanner. It can check your application for security issues. This is a JAVA application, and it checks web apps for general web application security issues. It can do generally dangerous attacks, it can do that actively and passively, so let's see that in action and see how to automate those scans! The easiest way is to clone Lombiq's Open-Source Orchard Core Extensions solution. This Orchard Core Visual Studio solution contains most of Lombiq's open-source Orchard modules and themes, as well as related utilities and libraries, containing our UI Testing Toolbox for Orchard Core, which contains a feature for ZAP. Here you can see quite detailed documentation about this but what's more important we also have some samples. Here, you can run ZAP with a DotNet API. It's just a simple scan but you can utilize the DotNet API more if you add some more configuration as you can see on the screen. This SecurityScanWithCustomConfigurationShouldPass method adds some configuration, like you can exclude URLs from the scan, disable rules for just a given URL, can authenticate and while we are talking about testing, you can also assert on the results. The results are not just available on a human-readable HTML report but also as a sarif-json which is a standard way of sharing such scan results. Do you want to know more about how to do an automated security scan of your Orchard Core app with ZAP? Check out our post in Orchard Dojo about it, and don't forget to head to YouTube for a recording to see how you can run these tests from Visual Studio! News from the community Christmas in Lombiq Sometimes we do stuff. Together. Not (just) in front of computer screens. These are some usual events in Lombiq that are all announced and arranged in advance. We periodically have an event called RnDay: this is a few hour-long event where we share what we recently worked on and what we plan to do. E.g., If we recently finished a project, then the project's team members demo what they've done. We had our last RnDay for this year in the Loffice, which is a coworking and event space where we held this event. And at the end of the day, we visited a nearby restaurant to have dinner together. We would like to thank you all for reading our posts and making the Orchard community stronger together with us! We hope that we can give you valuable news and demos about the happenings around Orchard and Orchard Core from time to time by reading our posts and of course the This week in Orchard newsletter. We would like to wish everyone a Merry Christmas with some photos of our latest event! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 486 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

How to do a security scan of an Orchard Core app - Orchard Core Nuggets

You don't want malicious people to crack your web apps to use them for spamming, cryptocurrency mining, and spreading malware, nor do you want them to get access to your users' personal data (if you actually do want to cooperate with criminals, you don't need to read further). Thus, you want your app to be secure. One aspect of achieving this is to do penetration testing on your app. Thankfully, much of this can be automated, and with the help of Lombiq UI Testing Toolbox for Orchard Core and Zed Attack Proxy (ZAP) you can conveniently do this for your Orchard Core app. Let's see how! First, install v8.2.1-alpha.6.osoe-351 or greater of the UI Testing Toolbox from NuGet because that's the one that added security scanning. There are a couple of minor breaking changes that should affect nobody, really, in this, so it'll be part of the upcoming v.9.0.0 (but for that, we're waiting for Orchard Core 1.8). Set up UI testing as explained in the UI Testing Toolbox's documentation. While we're focusing on security scanning here, the UI Testing Toolbox can do a lot, and I really mean a lot more, including one-liners to test if the basic Orchard Core features still work in your app, or unleashing automated monkey testing to try to break your app. We never work on an Orchard Core app without its safety net! Add one or more test cases to run ZAP's security scan. Since all the configuration of ZAP is available to you, customization is unlimited, but to give you a glimpse, this is how a basic security scan that's already a good start would look like: [Fact] public Task BasicSecurityScanShouldPass() => ExecuteTestAfterSetupAsync(context => context.RunAndAssertBaselineSecurityScanAsync()); And that's it! OK, I might have omitted the last step here: 4. Fix all the security issues ZAP finds, because it'll definitely find at least a couple of them! This was just a short teaser, but be sure to check out the UI Testing Toolbox's security scanning documentation, because we tried to summarize everything necessary to get you going there, including samples that you can just copy-paste. Do you want to see security scanning in action? Check out the demo video too! Also, security starts with quality code. Check out our Lombiq .NET Analyzers project to get automated checks for your code too, including pointing out potential security issues even before running the app. Did you like this post? It's part of our Orchard Core Nuggets series where we answer common Orchard questions, be it about user-facing features or developer-level issues. Check out the other posts for more such bite-sized Orchard Core tips and let us know if you have another question!