Predefined security policies and HTTP response headers

The Trusted sources security policy defines the value of the Content-Security-Policy (CSP) HTTP response header. This header controls the resources that the user agent can load. It specifies the server origins and script endpoints for page resources.

The CSP response header is a very powerful tool that is protects you from cross-site attacks, such as Cross-Site Scripting (XSS). It protects from attacks by allowing only website services from whitelisted sources. The header is preconfigured, so that Sitefinity CMS is secure by default. It is the role of the administrator to ensure that whitelisting any additional sources is secure.

The access to the configuration of the header is restricted only to the administrator of the site. When configuring the value for this header, you can use special syntax to define your rules. For more information, see Content-Security-Policy HTTP header syntax reference.

IMPORTANT: Misconfiguration may block some resources from loading.
If the header is turned on with the default, preconfigured value, it blocks almost each external resource from loading and this may prevent pages to use external CSS, fonts, images, scripts, etc. If your site is using external resources, you should allow all trusted domains in the header configuration for each respective resource type.

NOTE: You can use the Content-Security-Policy-Report-Only header that will allow you to fine-tune the header without breaking any existing pages. For more information, see Configure reporting.

For more information about using the Content-Security-Policy header, see:

Public keys for web servers

IMPORTANT: This header is deprecated.

This security policy controls the Public-Key-Pins HTTP response header. It tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.

This header is disabled by default, because it requires configuration of the public key of the certificate that is used for transport layer encryption.

NOTE: You can use the Public-Key-Pins-Report-Only header that will allow you to fine-tune the header without breaking any existing pages. For more information, see Configure reporting.

For more information, see Mozilla Firefox documentation » HTTP Public Key Pinning (HPKP).

Referrer information

This security policy defines the Referrer-Policy HTTP response header value. It governs which referrer information, sent in the Referrer header, should be included with requests made.

For more information, see Mozilla Firefox documentation » Referrer-Policy.

HTTP strict transport security

This security policy determines the value of the Strict-Transport-Security HTTP response header. It prevents sending data over unencrypted channel when a secured one is available. Strict - Transport - Security - HSTS tells browsers that content should only be communicated using HTTPS, instead of HTTP. It converts automatically all HTTP requests to HTTPS, if the site has been opened previously under HTTPS with valid certificate.

For more information, see OWASP documentation » Strict Transport Security.

Prevention of styles and scripts sniffing

This security policy defines the value of the X-Content-Type-Options HTTP response header. This header prevents content sniffing for styles and scripts.

For more information, see Mozilla's article X-Content-Type-Options.

Control of embedding your content

This security policy controls the value of the X-Frame-Options HTTP response header, and indicates whether or not a browser should be allowed to render a page in a <frame>, <iframe>, or <object>. It helps protecting against clickjacking attacks.

For more information, see OWASP documentation » Clickjacking Attacks.

Prevention of cross-site scripting attack

IMPORTANT: This is a non-standard header and does not work for every user.

This security policy controls the value of the X-XSS-Protection HTTP response header. It prevents reflected cross-site scripting attacks. Default value blocks the rendering of a page if an attack is detected.

For more information, see Mozilla's article X-XSS-Protection.

Content-Security-Policy-Report-Only and Public-Key-Pins-Report-Only

IMPORTANT: These headers are depricated.

For more information, see Configure reporting.

Cross-Origin-Embedder-Policy

The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).

To configure this header, navigate to Administration » Settings » Advanced » WebSecurity » HttpSecurityHeaders » Response Headers » Cross-Origin-Embedder-Policy

The default value is UnsafeNone, which allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.

The other available value is require-corp, which means that a document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.

For more information, see Mozilla's article Cross-Origin-Embedder-Policy.

Cross-Origin-Opener-Policy

The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.

To configure this header, navigate to Administration » Settings » Advanced » WebSecurity » HttpSecurityHeaders » Response Headers » Cross-Origin-Opener-Policy.

The default value is UnsafeNone, which allows the document to be added to its opener's browsing context group unless the opener itself has a COOP of same-origin or same-origin-allow-popups.

The same-origin-allow-popups value retains references to newly opened windows or tabs that either don't set COOP or that opt out of isolation by setting a COOP of unsafe-none.

The same-origin value isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context.

For more information, see Mozilla's article Cross-Origin-Opener-Policy

Cross-Origin-Resource-Policy

The HTTP Cross-Origin-Resource-Policy response header conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the given resource.

To configure this header, navigate to Administration » Settings » Advanced » WebSecurity » HttpSecurityHeaders » Response Headers » Cross-Origin-Resource-Policy.

The default value is CrossOrigin, which means that requests from any origin (both same-site and cross-site) can read the resource.

The SameOrigin value means that only requests from the same origin (i.e. scheme + host + port) can read the resource.

The same-site value means that only requests from the same site can read the resource.

The cross-origin value means that requests from any origin (both same-site and cross-site) can read the resource.

For more information, see Mozilla's article Cross-Origin-Resource-Policy.

Permissions-Policy

Permissions Policy (formerly known as feature policy) allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser.

To configure this header, navigate to Administration » Settings » Advanced » WebSecurity » HttpSecurityHeaders » Response Headers » Permissions-Policy.

For more information, see Mozilla's article Feature Policy.

Extensibility

In addition to the out-of-the-box preconfigured headers that Sitefinity CMS comes with, you can create your own additional headers.

To do this, navigate to Administration » Settings » Advanced » WebSecurity » HttpSecurityHeaders » ResponseHeaders » Create new.

HTTP protocol and browsers evolve. So, you should stay on top of the latest web security trends and use your Sitefinity CMS Web security module to extend the list of headers and keep their configuration up to date.

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Web Security for Sitefinity Administrators

The free standalone Web Security lesson teaches administrators how to protect your websites and Sitefinity instance from external threats. Learn to configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?

Next article

Configure reporting