This security policy applies exclusively to Next.js pages. The Sitefinity Next.js Renderer implements a trusted sources security policy out-of-the-box, which defines the value of the Content-Security-Policy (CSP) HTTP response header. This header controls the resources that the user agent can load, specifying the server origins and script endpoints for page resources. The CSP response header is a powerful tool that protects against cross-site attacks, such as clickjacking and Cross-Site Scripting (XSS). It helps safeguard your site by allowing only website services from whitelisted sources. The default CSP headers are registered in the next.config.js file. You can configure the Content-Security-Policy HTTP header by extending the cspHeader in next.config.js. Misconfiguration may block some resources from loading. If the header is used with the default, preconfigured value, it will block nearly all external resources, which may prevent pages from using external CSS, fonts, images, scripts, and other assets. If your site relies on external resources, you should whitelist all trusted domains in the header configuration for each respective resource type.
next.config.js
cspHeader
The CSP header is preconfigured to prevent loading resources from external sources. It has the following preconfigured directives:
/p>
It is the role of the administrator to whitelist any trusted external sources as secure.
IMPORTANT: Misconfiguration may block some resources from loading. If the header is turned on with the default, preconfigured value, it blocks almost each external resource from loading and this may prevent pages to use external CSS, fonts, images, scripts, etc. If your site is using external resources, you should allow all trusted domains in the header configuration for each respective resource type.
Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.
This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.
This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.
The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.
To submit feedback, please update your cookie settings and allow the usage of Functional cookies.
Your feedback about this content is important