Content-Security-Policy (CSP) HTTP response header
Overview
This security policy applies only to ASP.NET Core pages.
IMPORTANT: After upgrading Sitefinity ASP.NET Core Renderer to version 15.0 a Trusted sources security policy is automatically applied. This will immediately disable all external resources on your website.
You need to do one of the following:
- Configure CPS header to allow resources from trusted sources.
For more information, see.
- Disable sending the header – not recommended
For more information, see.
Sitefinity ASP.NET Core Renderer implements out-of-the-box the Trusted sources security policy. It defines the value of the Content-Security-Policy (CSP) HTTP response header. This header controls the resources that the user agent can load. It specifies the server origins and script endpoints for page resources.
The CSP response header is a very powerful tool that protects you from cross-site attacks, such as clickjacking and Cross-Site Scripting (XSS). It protects from attacks by allowing only website services from whitelisted sources.
PREREQUISITES: The access to the configuration of the header, you must be an Administrator.
Default value
The CSP header is preconfigured to prevent loading resources from external sources. It has the following preconfigured directives:
- default-src ‘self’
- style-src ‘self’ ‘unsafe-inline’
- image-src ‘self’ data:
Configuration
It is the role of the administrator to whitelist any trusted external sources as secure.
IMPORTANT: Misconfiguration may block some resources from loading.
If the header is turned on with the default, preconfigured value, it blocks almost each external resource from loading and this may prevent pages to use external CSS, fonts, images, scripts, etc. If your site is using external resources, you should allow all trusted domains in the header configuration for each respective resource type.