Add HTTP security headers in CMS 12

Vote:
 

I tried adding HTTP security headers using custom middleware, similar to the way it's implemented here. https://blog.emman.dev/asp.net/2021/10/25/add-http-security-headers-in-asp.net-core-5-using-custom-middleware 

Although the headers do show up correctly for all requests, it causes errors in the CMS. I thought by moving it around to different places in the request processing pipeline I could make it work, but that doesn't seem to be the case. Has anyone implemented custom http headers in CMS 12? 

#288767
Oct 06, 2022 20:14
Vote:
 

What errors are you seeing? what's in the browser console?

#288803
Oct 07, 2022 6:34
Vote:
 

Thanks Quan. I checked the console and it looked to be an error that was caused by the Content-Security-Policy header specifically.

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-x...sw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Removing this header in particular solved the issue. I can revisit fixing the values inside our CSP, but for now this works.  

#288813
Oct 07, 2022 18:06
Vote:
 

There is some information available about the CSP in the documentation here:
https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/content-security-policy 

#288814
Oct 07, 2022 23:00
Vote:
 

Larry, have you considered looking into packages within the Optimizely Community?

There is Jhoose.Security.Admin which allows you to manage your CSP within the CMS which you can read more on here: https://github.com/andrewmarkham/contentsecuritypolicy 

#288902
Oct 09, 2022 22:13
Vote:
 

Thanks Ynze and Mark for the links to the documentation. I will definitely be looking into Jhoose Security Admin. This is great.  

#288950
Oct 10, 2022 14:59
Vote:
 

Jhoose is very easy to get started with, you can turn OFF the default policies if desired:

services.AddJhooseSecurity(_configuration, (securityOptions) =>
{
    securityOptions.StrictTransportSecurity.Enabled = false;
    securityOptions.XFrameOptions.Enabled = false;
    securityOptions.XContentTypeOptions.Enabled = false;
    securityOptions.XPermittedCrossDomainPolicies.Enabled = false;
    securityOptions.ReferrerPolicy.Enabled = false;
    securityOptions.CrossOriginEmbedderPolicy.Enabled = false;
    securityOptions.CrossOriginOpenerPolicy.Enabled = false;
    securityOptions.CrossOriginResourcePolicy.Enabled = false;
});
#314457
Dec 20, 2023 16:13
Vote:
 

I'll also add that since I made my previous recommendation around Jhoose Security, I've also released my own module Stott Security.

It's free to use and allows you to edit all of the following headers within the CMS Administrator inteface complete with a full audit:

  • Content Security Policy (CSP)
  • Cross Origin Resource Sharing (CORS)
  • X-Content-Type-Options
  • X-Xss-Protection
  • Referrer-Policy
  • X-Frame-Options
  • Cross-Origin-Embedder-Policy
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Resource-Policy
  • Strict-Transport-Security

You can read more here: https://github.com/GeekInTheNorth/Stott.Security.Optimizely

Both modules are great and work conceptually differently in terms of UI.  

#314460
Dec 20, 2023 16:22
Vote:
 

Larry

Im adding these security headers with custom code, and for Content Security Policy (CSP) I had the same issue. It breaks the CMS. I resolved this by only applying CSP when Im not actually in the CMS. How to do this depends on how you are adding your headers. For me, Im adding these headers in some middleware. In that middleware I have a "ShouldAddCsp" method, and it looks at the url to determine where its happening:

private bool ShouldAddCsp(HttpContext context)
{
    var currentUrl = context.Request.Url();
    var path = currentUrl.PathAndQuery;
    var segments = path.Split('/', StringSplitOptions.RemoveEmptyEntries);

    var segmentZero = segments.ElementAtOrDefault(0);

    if (string.IsNullOrEmpty(segmentZero))
    {
        return true;
    }

    switch (segmentZero.ToLower())
    {
        case "error":
            return false;
        case "episerver":
            return false;
        case "util":
            return false;
        case "authorization-code":
            return false;
        case "signout":
            return false;
        case "cleaner":
            return false;
        case "form-handler-report":
            return false;
        case "translation-report":
            return false;
        case "translation-report-export":
            return false;
        case "redirectmanager":
            return false;
        default:
            return true;
    }
}

So, some of the URLS there are custom things I implemented. Your list of URLS may be different.

#315412
Jan 10, 2024 19:20
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.