Progress Sitefinity 11.0 is coming with a new Web Security Module that supports the configuration of HTTP response headers through the Administration section from your website admin panel. I am very proud to say that Progress Sitefinity is the first CMS on the market to provide built-in support on that level and follows the latest trends by utilizing the browser capabilities in favor of your website security.
In a previous blog post (“7 Security Response Headers Your WCMS ..”) we discussed the top 7 HTTP response headers your CMS should be aware of. Please take a look at that post to learn more about why this is so important.
Looking to learn about the Web Security Module through a quick tutorial? Here are two videos that capture the essence of it.
In this video the Progress Sitefinity team explains how the module actually works and what happens when it is turned on.
When you first enable the Web Security Module most of the HTTP security headers are turned on and will be sent with each successful response to use the browser’s built-in security features.
If the same HTTP Response Headers have been configured already (e.g. in web.config) or have been set with code in the response, Sitefinity won't modify them or append them again. In this case Sitefinity's configuration for this header will be ignored.
By default, new projects start with the Web Security Module turned on.
Upgraded sites, from versions lower than 11.0 to version 11.0 and up, will have the Web Security Module turned off by default. In order to use its features, the module should be activated by going to Administration -> Modules and Services -> Web Security and turning it on.
Warning: Turning on the Web Security module (and applying security HTTP Response Headers respectively) on a running site may cause some content to be blocked by the browser. You have to configure the restrictions for your site (e.g. which external sources are trusted and allow loading resources from them).
The configuration part is straightforward, and as usual you can Activate/Deactivate the Web Security Module from Administration -> Modules and Services. Its configurations could be found in Administration -> Settings -> Advanced -> Web Security. All HTTP security response headers can be turned off/on and each security header can be configured and turned on/off separately.
Although Sitefinity comes out of the box with many HTTP Response Headers, preconfigured HTTP protocol and browsers evolve and there might be more and more in the future. The list should be extended as needed and configurations should be kept up to date.
If other response headers should be added they can be set in the configuration.
To get additional information about recommendations for security headers, you can check out what OWASP (the Open Web Application Security Project) has to say here. Another list of HTTP security headers could be found on the Mozzilla’s website (look at the security section).
To check if your website is following the latest and greatest practices, you can also scan your URL through securityheaders.io.
Providing out of the box support for HTTP Response Headers is the first step of the Web Security Module development. Please let us know what you would like to see in it, so we can include it in our roadmap.
View all posts from The Progress Team on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.
Copyright © 2018 Progress Software Corporation and/or its subsidiaries or affiliates.
All Rights Reserved.
Progress, Telerik, and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.