Web security module
Sitefinity CMS has an out-of-the-box Web security module that you can use to configure HTTP security headers, redirect and referrer validation. This way you protect your Sitefinity CMS sites against attacks.
There are various types of attacks that you can prevent – Cross-site scripting (XSS), clickjacking, code injection, stealing or modifying data in transit (man-in-the-middle), content sniffing. HTTP protocol defines headers that all modern browsers understand and use to protect user or site data. Additionally built-in redirect and referrer validation mechanisms add further protection against Open Redirect and Cross-site Request Forgery types of attacks.
Sitefinity CMS adds another layer of protection to your site. The system sends HTTP headers to configure web clients (browsers) and turn on their build-in security features. The system also screens for any redirects and web service calls to unvalidated domains.
The site administrators are responsible for the security. You should configure your site, so that no other role, such as author, content editor, designer, or frontend user, is able to add a reference to external resource, without the explicit permission from the administrator. The administrator should be able to configure the transport layer security upgrade, the prevention from clickjacking attacks, the XSS protection, and more. Only administrators should be able to turn off the Web security module or its features.
How it works
When you activate the Web security module, a set of HTTP security headers are turned on and sent with each successful response to utilize the browser build-in security features.
If you have already configured the same HTTP response headers, for example in your web.config, or have set them with code in the response, Sitefinity CMS does not modify them or append them again. In this case, the Web security module configuration for this header is ignored.
For Open Redirect protection, if the web security module detects an attacker attempts to inject a redirection to a domain that’s not configured as trusted, it intercepts this attempt and displays the following warning screen.
To prevent CSRF attacks the Web Security module introduces a whitelist of domains the external requests to the website can originate from. This way, any calls to your website services that originate from domains other than the ones configured in the Referrer validation whitelist will be blocked.