Add HTTP security headers in CMS 12
Thanks Quan. I checked the console and it looked to be an error that was caused by the Content-Security-Policy header specifically.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-x...sw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Removing this header in particular solved the issue. I can revisit fixing the values inside our CSP, but for now this works.
Oct 07, 2022 18:06
There is some information available about the CSP in the documentation here:
https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/content-security-policy
Oct 07, 2022 23:00
Larry, have you considered looking into packages within the Optimizely Community?
There is Jhoose.Security.Admin which allows you to manage your CSP within the CMS which you can read more on here: https://github.com/andrewmarkham/contentsecuritypolicy
Oct 09, 2022 22:13
Thanks Ynze and Mark for the links to the documentation. I will definitely be looking into Jhoose Security Admin. This is great.
Oct 10, 2022 14:59
I tried adding HTTP security headers using custom middleware, similar to the way it's implemented here. https://blog.emman.dev/asp.net/2021/10/25/add-http-security-headers-in-asp.net-core-5-using-custom-middleware
Although the headers do show up correctly for all requests, it causes errors in the CMS. I thought by moving it around to different places in the request processing pipeline I could make it work, but that doesn't seem to be the case. Has anyone implemented custom http headers in CMS 12?