London Dev Meetup Rescheduled! Due to unavoidable reasons, the event has been moved to 21st May. Speakers remain the same—any changes will be communicated. Seats are limited—register here to secure your spot!

Mark Stott
Nov 19, 2021
  2900
(5 votes)

Adding Secure Headers in Optimizely CMS 12

I have previously blogged about this in a pure .NET 5.0 context on my own blog here: Secure Headers in .NET 5.0. In this version of this post I have adapted the solution to work with an Optimizely CMS Build.

I have been building .NET 5.0 websites for personal projects as well as reviewing the move from .NET 4.8 to .NET 5.0 by Optimizely and seeing the evolution of the CMS solution.  In any website build it is best practice to remove any headers that your website may produce which expose the underlying technology stack and version.  This is known as information leakage and provides malicious actors with information that allows them to understand the security flaws in the hosting technologies utilized by your website.  It is also best practice to provide headers which instruct the user's browser as to how your website can use third parties and be used by third parties in order to offer the best protection for the user.

.NET 5.0 and .NET Core 3.1 follow a common pattern in how you build websites.  Web.config is meant to be a thing of the past with configuration of the site moving to appsettings.json and code.  A good place to add security headers to your requests is to create a security header middleware. However the routing of the CMS content does not pass through this middleware so I've fallen back to Action Attributes:

namespace MyProject.Features.Security
{
    using Microsoft.AspNetCore.Mvc.Filters;

    public class SecurityHeaderActionAttribute : ActionFilterAttribute
    {
        public override void OnResultExecuting(ResultExecutingContext context)
        {
            base.OnResultExecuting(context);

            context.HttpContext.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
            context.HttpContext.Response.Headers.Add("X-Xss-Protection", "1; mode=block");
            context.HttpContext.Response.Headers.Add("X-Content-Type-Options", "nosniff");
            context.HttpContext.Response.Headers.Add("Referrer-Policy", "no-referrer");

            context.HttpContext.Response.Headers.Add("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data: https:; frame-src 'self' https://www.youtube-nocookie.com/;");
        }
    }
}

I did find that I couldn't remove the server and x-powered-by headers using this method.  As it turns out, these are added by the hosting technology, in this case IIS.  The only way to remove these headers was to add a minimal web.config file to the web solution that contained just enough configuration to remove these headers.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
   <system.webServer>
       <httpProtocol>
           <customHeaders>
               <remove name="X-Powered-By" />
           </customHeaders>
       </httpProtocol>
       <security>
           <requestFiltering removeServerHeader="true" />
       </security>
   </system.webServer>
</configuration>

I spent a good while looking for this solution, almost every solution I could find was based on hosting within Kestrel rather than IIS.  If you are hosting with Kestrel, then you can remove the server header by updating your CreateHostBuilder method in program.cs to set the options for Kestrel to exclude the server header.

public static IHostBuilder CreateHostBuilder(string[] args, bool isDevelopment)
{
   return Host.CreateDefaultBuilder(args)
              .ConfigureCmsDefaults()
              .ConfigureWebHostDefaults(webBuilder =>
              {
                  webBuilder.UseStartup<Startup>();
                  webBuilder.UseKestrel(options => { options.AddServerHeader = false; });
              });
}
Nov 19, 2021

Comments

Please login to comment.
Latest blogs
Integrating Address Validation in Optimizely Using Smarty

Address validation is a crucial component of any ecommerce platform. It ensures accurate customer data, reduces shipping errors, and improves the...

PuneetGarg | May 21, 2025

The London Dev Meetup is TOMORROW!!

The rescheduled London Dev Meetup is happening tomorrow, Wednesday, 21st May, at 6pm! This meetup will be Candyspace 's first, and the first one he...

Gavin_M | May 20, 2025

From Agentic Theory to Practicality: Using Optimizely Opal’s Instructions Feature

A practical look at Optimizely Opal’s Instructions feature — from built-in agents to creating and managing custom instruction workflows. Ideal for...

Andy Blyth | May 19, 2025 |

Common Mistakes in Headless Projects with Optimizely

Adopting a headless architecture with Optimizely is a major shift from the traditional MVC-based development that has been the standard for years....

Szymon Uryga | May 19, 2025