IMPORTANT: This version of Sitefinity CMS is out of support and the respective product documentation is no longer maintained and can be outdated. Use the version selector to view a supported product version.
Sitefinity CMS has an out-of-the-box Web security module that you can use to configure HTTP security headers and to protect your Sitefinity CMS sites against attacks.
There are various types of attacks that you can prevent – cross-site scripting (XSS), clickjacking, code injection, stealing or modifying data in transit (man-in-the-middle), content sniffing. HTTP protocol defines headers that all modern browsers understand and use to protect user or site data.
Sitefinity CMS adds another layer of protection to your site. The system sends HTTP headers to configure web clients (browsers) and turn on their build-in security features.
The site administrators are responsible for the security. You should configure your site, so that no other role, such as author, content editor, designer, or frontend user, is able to add a reference to external resource, without the explicit permission from the administrator. The administrator should be able to configure the transport layer security upgrade, the prevention from clickjacking attacks, the XSS protection, and more. Only administrators should be able to turn off the Web security module or its features.
When you activate the Web security module, a set of HTTP security headers are turned on and sent with each successful response to utilize the browser build-in security features.
If you have already configured the same HTTP response headers, for example in your web.config, or have set them with code in the response, Sitefinity CMS does not modify them or append them again. In this case, the Web security module configuration for this header is ignored.
Back To Top
To submit feedback, please update your cookie settings and allow the usage of Functional cookies.
Your feedback about this content is important