Web security module

Sitefinity CMS has an out-of-the-box Web security module that you can use to configure HTTP security headers, redirect and referrer validation. This way you protect your Sitefinity CMS sites against attacks.

PREREQUISITES: The Web security module is available with the Professional, Online Marketing, and Enterprise editions of Sitefinity. For more information about Sitefinity editions, see How to Buy

There are various types of attacks that you can prevent – Cross-site scripting (XSS), clickjacking, code injection, stealing or modifying data in transit (man-in-the-middle), content sniffing. HTTP protocol defines headers that all modern browsers understand and use to protect user or site data. Additionally built-in redirect and referrer validation mechanisms add further protection against Open Redirect and Cross-site Request Forgery types of attacks.

Sitefinity CMS adds another layer of protection to your site. The system sends HTTP headers to configure web clients (browsers) and turn on their build-in security features. The system also screens for any redirects and web service calls to unvalidated domains.

The site administrators are responsible for the security. You should configure your site, so that no other role, such as author, content editor, designer, or frontend user, is able to add a reference to external resource, without the explicit permission from the administrator. The administrator should be able to configure the transport layer security upgrade, the prevention from clickjacking attacks, the XSS protection, and more. Only administrators should be able to turn off the Web security module or its features.

When you activate the Web security module, a set of HTTP security headers are turned on and sent with each successful response to utilize the browser build-in security features.

If you have already configured the same HTTP response headers, for example in your web.config, or have set them with code in the response, Sitefinity CMS does not modify them or append them again. In this case, the Web security module configuration for this header is ignored.

For Open Redirect protection, if the web security module detects an attacker attempts to inject a redirection to a domain that’s not configured as trusted, it intercepts this attempt and displays the following warning screen.

To prevent CSRF attacks the Web Security module introduces a whitelist of domains the external requests to the website can originate from. This way, any calls to your website services that originate from domains other than the ones configured in the Referrer validation whitelist will be blocked. In addition, Sitefinity CMS utilizes token based protection as well as additional explicit sameSite cookie policy set to lax for all authentication cookies. It also validates the presence of a custom header for all cross-site requests to built-in web services routes when cookies are used for authentication. The custom header must be named X-Requested-With with any value.

In addition, the Sitefinity CMS Web Security module enables you to configure cookies protection that allows you to define a minimum security policy for all website cookies.