Add HTTP security headers in CMS 12

Vote:
 

I tried adding HTTP security headers using custom middleware, similar to the way it's implemented here. https://blog.emman.dev/asp.net/2021/10/25/add-http-security-headers-in-asp.net-core-5-using-custom-middleware 

Although the headers do show up correctly for all requests, it causes errors in the CMS. I thought by moving it around to different places in the request processing pipeline I could make it work, but that doesn't seem to be the case. Has anyone implemented custom http headers in CMS 12? 

#288767
Oct 06, 2022 20:14
Vote:
 

What errors are you seeing? what's in the browser console?

#288803
Oct 07, 2022 6:34
Vote:
 

Thanks Quan. I checked the console and it looked to be an error that was caused by the Content-Security-Policy header specifically.

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-x...sw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Removing this header in particular solved the issue. I can revisit fixing the values inside our CSP, but for now this works.  

#288813
Oct 07, 2022 18:06
Vote:
 

There is some information available about the CSP in the documentation here:
https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/content-security-policy 

#288814
Oct 07, 2022 23:00
Vote:
 

Larry, have you considered looking into packages within the Optimizely Community?

There is Jhoose.Security.Admin which allows you to manage your CSP within the CMS which you can read more on here: https://github.com/andrewmarkham/contentsecuritypolicy 

#288902
Oct 09, 2022 22:13
Vote:
 

Thanks Ynze and Mark for the links to the documentation. I will definitely be looking into Jhoose Security Admin. This is great.  

#288950
Oct 10, 2022 14:59
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.