Topics

All topics

Configure the security policies and HTTP response headers

Overview

Sitefinity CMS comes with a set of predefined security policies. The Web security module reads the configuration for each security policy and sets the value of the corresponding HTTP response headers. You can configure the security policies separately and you can turn them on and off separately.

Procedure

To configure the security headers, perform the following:

In Sitefinity CMS backend, navigate to Administration » Settings.
The Basic Settings page appears.
In the left-hand side navigation, click on WebSecurity.
A list of the predefined security policies appear. Each policy controls a HTTP header listed in the HTTP header column.
Click Edit for the security policy that you want to configure.
The security policy edit dialog appears.
Edit the properties of the security policy. Each property value, exposed for editing in the security policy edit dialog, translates to a value of the HTTP response headers. For more information about the headers, see Predefined security headers in HTTP response. You can also uncheck/check the Enable [security policy name] checkbox to disable/enable the security policy.
NOTE: There are headers that support reporting. If you want to turn on the Content-Security-Policy-Report-Only or the Public-Key-Pins -Report-Only headers, you must disable the Content-Security-Policy and the Public-Key-Pins headers, respectively.
For more information, see Configure reporting.
Click Done.

Disable sending all security HTTP response headers globally

You can globally disable all security headers, by navigation to Administration » Settings » Advanced » WebSecurity » HttpSecurityHeaders and selecting Disable sending security headers in the http response checkbox. We do not recommend using this option.

Additional resources

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Web Security for Sitefinity Administrators

The free standalone Web Security lesson teaches administrators how to protect your websites and Sitefinity instance from external threats. Learn to configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?

Yes No

Would you like to submit additional feedback?

Your feedback about this content is important

How helpful is this article?

Very helpful Somewhat helpful Not helpful

How can we improve this article?(Optional)

Fix typos or links

Fix incorrect information

Add or update code samples

Add or update illustrations

Add information about...

Send feedback Cancel

Predefined security policies and HTTP response headers