Add HTTP security headers in CMS 12


I tried adding HTTP security headers using custom middleware, similar to the way it's implemented here. 

Although the headers do show up correctly for all requests, it causes errors in the CMS. I thought by moving it around to different places in the request processing pipeline I could make it work, but that doesn't seem to be the case. Has anyone implemented custom http headers in CMS 12? 

Oct 06, 2022 20:14

What errors are you seeing? what's in the browser console?

Oct 07, 2022 6:34

Thanks Quan. I checked the console and it looked to be an error that was caused by the Content-Security-Policy header specifically.

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-x...sw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Removing this header in particular solved the issue. I can revisit fixing the values inside our CSP, but for now this works.  

Oct 07, 2022 18:06

There is some information available about the CSP in the documentation here: 

Oct 07, 2022 23:00

Larry, have you considered looking into packages within the Optimizely Community?

There is Jhoose.Security.Admin which allows you to manage your CSP within the CMS which you can read more on here: 

Oct 09, 2022 22:13

Thanks Ynze and Mark for the links to the documentation. I will definitely be looking into Jhoose Security Admin. This is great.  

Oct 10, 2022 14:59
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.