Content-Security-Policy (CSP) HTTP response header

Overview

This security policy applies only to ASP.NET Core pages.

IMPORTANT: After upgrading Sitefinity ASP.NET Core Renderer to version 15.0 a Trusted sources security policy is automatically applied. This will immediately disable all external resources on your website.
You need to do one of the following:

  • Configure CPS header to allow resources from trusted sources.
    For more information, see.
  • Disable sending the header – not recommended
    For more information, see. 

Sitefinity ASP.NET Core Renderer implements out-of-the-box the Trusted sources security policy. It defines the value of the Content-Security-Policy (CSP) HTTP response header. This header controls the resources that the user agent can load. It specifies the server origins and script endpoints for page resources.

The CSP response header is a very powerful tool that protects you from cross-site attacks, such as clickjacking and Cross-Site Scripting (XSS). It protects from attacks by allowing only website services from whitelisted sources.

PREREQUISITES: The access to the configuration of the header, you must be an Administrator.

Default value

The CSP header is preconfigured to prevent loading resources from external sources. It has the following preconfigured directives:

  • default-src ‘self’
  • style-src ‘self’ ‘unsafe-inline’
  • image-src ‘self’ data: 

Configuration

It is the role of the administrator to whitelist any trusted external sources as secure.

IMPORTANT: Misconfiguration may block some resources from loading. 
If the header is turned on with the default, preconfigured value, it blocks almost each external resource from loading and this may prevent pages to use external CSS, fonts, images, scripts, etc. If your site is using external resources, you should allow all trusted domains in the header configuration for each respective resource type. 

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?