Configure cookies protection

While browsing a website, various cookies get saved in your web browser. These cookies provide a convenient mechanism for temporary storing some settings, specific to you. For example, your preferred order of items in a list, theme, and so on. Some cookies contain more sensitive information - for example your authentication cookie, which helps you access protected resources once successfully logged in, without prompting you to enter your credentials every time. Even though such cookies store the information using some sort of encryption, there is still an ongoing concern about this information falling in someone else's hands.

A specific in the web browser behavior is that when you make a request, the browser sends all cookies for the domain along the request. Even under normal browsing circumstances it's quite hard to track which domains you make requests to (and send your cookies). An average page loads multiple resources, which might not come from the website domain, for example images, scripts, styles, 3rd party integrations and so on, thus the complexity of tracking what requests happen under the hood, and which domains receive your browser cookies.

Take the following example: You are logged in your website (www.mysitefinitysite.com) backend. In the same browser you open a new tab and do a web search that leads you to a malicious website. This website contains some client-side script that targets your website domain (www.mysitefinitysite.com), for example hidden between an innocent-looking button or popup action. The attacker aims at obtaining control over your website, for example by creating and admin user, retrieving sensitive data, or deleting data. When this malicious website executes the script, the browser sends all cookies it has stored for your domain, in this case including your authentication cookie for the other site you have open in the same browser. Since the authentication cookie is valid, your website will process the request, ultimately granting the attacker the same level of access as yours to your website backend. This security vulnerability is also known as Cross Site Request Forgery or simply CSRF.

The Sitefinity CMS Web Security module enables IT Administrators to configure a centralized mechanism that helps securing the website cookies, thus preventing the CSRF vulnerability.

By default, different cookies may have different level of protection - depending on the out of the box implementation, or the way they have been developed, in case of customizations. The Web Security module enables you to define a minimum security policy for all website cookies. In other words, when you configure your Sitefinity CMS website cookies protection mechanism, the settings are applied to all website cookies. Think of it this way - if a cookie already has a higher security policy implemented, it will be used, but if a cookie has lower security than the one configured in the Web Security module, the module security settings take precedence, thus actively securing your cookie.

To configure the cookies protection mechanism follow these steps:

1. In your Sitefinity CMS administrative backend, navigate to Administration » Settings » Advanced
2. Using the left-hand navigation, expand Web Security » CookiesProtector
3. On the next screen, configure the following options:
   1. Enable cookies protection - select this checkbox to activate the cookies protection. If the checkbox is not selected, this means the cookies protection is inactive. By default this setting is enabled for newly created projects with Sitefinity CMS versions 12.1 and later. For projects, upgraded to versions 12.1 and later, this option must be manually enabled.

      NOTE: When you manually enable this option, keep in mind that some of the cookies already issued by your website might have different expiration timeframes. Enabling or disabling the cookie protection mechanism does not result in invalidating all cookies expiration. If a cookie is still valid, it will take the new security settings only once it expires from the user's browser. To detect any undesired behavior when changing this setting, it is recommended that the IT administrator, making the change to clear all cookies from their web browser, so they can observe the effects of the changes right away.

   2. Skipped cookies - this textbox enables you to enter a comma-separated list of cookie names. All cookies listed here will be excluded from the security policies configured for the cookies protection mechanism. Usually these are cookies which you intentionally want to make available to other domains, for example tracking cookies, or in the case of shared functionality between several domains.
   3. HttpOnly - selecting this checkbox instructs the cookies to be sent only to HTTP requests. This way client-side script can no longer access the cookies
   4. Secure - this checkbox determines whether cookies can be made available over http://, if the site is configured to be served over https://. When the checkbox is checked, cookies are made available only over https://.
   5. SameSite - this dropdown determines whether cookies are made available to requests originating or leading to other domains. The available settings are:
      • Strict - this is the most aggressive security policy. When selected, it instructs your website cookies to be sent only to requests originating from your website domain only.

        NOTE: If you set the SameSite value to Strict, external authentication, such as Azure AD will not work.

      • Lax - this is the most balanced security policy. It makes cookies available to requests originating form other domains, only when the request type is GET. This is the default security policy.
      • None - this setting does not enforce any restrictions, and the default browser behavior applies - cookies are sent to all requests, no matter the domain they originate from.
4. Click Save changes.