Web security module
Sitefinity CMS has an out-of-the-box Web security module that you can use to configure HTTP security headers, redirect validation, and referrer validation. This way you protect your Sitefinity CMS sites against attacks.
There are various types of attacks that you can prevent – for example, cross-site scripting (XSS), clickjacking, code injection, stealing or modifying data in transit (man-in-the-middle attacks), or content sniffing. The HTTP protocol defines headers that all modern browsers understand and use to protect user or site data. Additionally, the built-in redirect and referrer validation mechanisms add further protection against Open Redirect and Cross-site Request Forgery types of attacks.
Sitefinity CMS adds another layer of protection to your site. The system sends HTTP headers to configure web clients (browsers) and turn on their built-in security features. The system also screens for any redirects and web service calls to unvalidated domains.
The site administrators are responsible for the security. You should configure your site in such way that no other role, such as author, content editor, designer, or frontend user is able to add a reference to external resource, without explicit administrator's permission. The administrator should be able to configure the upgrade of the transport layer security, the prevention of clickjacking attacks, XSS protection, and more. Only administrators should be able to turn off the Web security module or its features.
How it works
When you activate the Web security module, a set of HTTP security headers are turned on and sent with each successful response to utilize the browser build-in security features.
If you have already configured the same HTTP response headers, for example in your web.config file, or have enforced them with code in the response, Sitefinity CMS does not modify them or append them a second time. In this case, the Web security module configuration for this header is ignored.
For Open Redirect protection, if the Web security module detects an attacker attempts to inject a redirection to a domain which is not configured as trusted, it intercepts this attempt and displays a warning screen.
In addition, the Sitefinity CMS Web Security module enables you to configure cookies protection that allows you to define a minimum security policy for all website cookies.