Configure Content-Security-Policy header

Overview

You can configure the Content-Security-Police HTTP header through the API in the Program.cs file of the ASP.NET Core Renderer or via the backend UI, through the Advanced settings.

RECOMMENDATION: We recommend configuring the header via the API, because you have more configuration options. 

When you create directives using the backend UI, you do not need to build and deploy your renderer application. This option is suitable for content editors when they need to quickly allow an external source.  

Configure CSP header via the API 

 

Perform the following:

  1. Open the Program.cs file of Sitefinity ASP.NET Core Renderer.
  2. Modify the services section to include the required directives.

    EXAMPLE: To add a particular website as a secure source, modify the section in the following way:

  3. Save and close the Program.cs file.
  4. Build and deploy the renderer application.

Configure the CSP header in the backend

Perform the following:

  1. In Sitefinity CMS backend, navigate to Administration » Settings » Advanced
  2. In the tree on the left, expand AspNetCoreRenderer » Security » Content-Security-Policy header.
  3. Click Directives » Create new.
  4. In Name, enter the directive and save your changes. 
  5. In Value, enter the value of the directive and save your changes. 

For more information, see CSP header syntax reference

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Web Security for Sitefinity Administrators

The free standalone Web Security lesson teaches administrators how to protect your websites and Sitefinity instance from external threats. Learn to configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?