Portal Security Overview
Portal implements comprehensive security measures to protect your Backstage deployment and user data. This document outlines the security architecture, built-in protections, and recommended practices for maintaining a secure Portal environment.
Security-Focused Requirements
Portal's security architecture is built around a formal set of security-focused requirements. These requirements draw from the OWASP Top 10, which highlights the most critical security risks to web applications, as well as Spotify's own internal security recommendations. By integrating these standards into the development process, Portal ensures that common threat vectors are addressed early and systematically. These requirements are not static—they are periodically reviewed and updated to match the evolving security landscape. They directly inform Portal's threat model and the corresponding risk assessment matrix, which are foundational to both product planning and engineering decisions.
Security Features
Portal includes a number of features designed to proactively protect users and their data:
Plugin Isolation
To contain the impact of any plugin misconfiguration or malfunction, each plugin within Portal is executed in a separate process. This design ensures that a single problematic plugin cannot affect the availability or security of the entire Portal instance. This isolation also simplifies troubleshooting and recovery, as issues can be addressed at the individual plugin level without risking broader service disruption.
Access Control and Root Privileges
Access to high-privilege operations is tightly controlled. Only a specific, authorized set of users is permitted to obtain root-level access within Portal. Importantly, after the initial setup and recovery mode, the root login feature is disabled by default. This reduces the attack surface by eliminating a common target for privilege escalation attacks. If root access needs to be re-enabled for recovery or maintenance, it should be promptly disabled again after use.
Vulnerability Management
Portal adheres to a structured vulnerability management process. This means that vulnerabilities—whether reported by internal teams, external researchers, or through automated scanning—are triaged, tracked, and resolved in accordance with established procedures. This process is regularly updated to ensure ongoing compliance with Spotify-wide security standards and industry best practices. Details of the vulnerability management workflow can be found in the relevant internal documentation.
Known Risks and Recommended Mitigations
Root Admin Login
The root admin login interface presents a significant security risk when active. Recovery mode is enabled by Spotify for user environments when needed for setup or recovery activities, and is disabled once these activities are complete.
The root admin login interface, when active, presents a significant security risk because it is accessible to all users and protected only by a password. This login mode is intended strictly for initial setup or for recovery scenarios. To minimize the risk of unauthorized access, recovery mode is managed by Spotify and deactivated as soon as recovery or setup activities are complete. The password for this interface is provided by Spotify and follows established security practices for privileged accounts.
Ongoing Security Improvements
Portal's security posture is continuously evaluated and improved. Regular reviews, internal audits, and updates based on both internal feedback and external developments in the security landscape ensure that Portal remains resilient in the face of emerging threats. Security-related FAQs and documentation are also maintained to assist users and customers in understanding how Portal protects their data and what steps they can take to further enhance security on their deployments.
For more information on setup procedures, see our Getting Started Guide.