Web security module
Overview
Sitefinity CMS has an out-of-the-box Web security module that you can use to configure HTTP security headers, redirect validation, and referrer validation. This way you protect your Sitefinity CMS sites against attacks.
There are various types of attacks that you can prevent – for example, cross-site scripting (XSS), clickjacking, code injection, stealing or modifying data in transit (man-in-the-middle attacks), or content sniffing. The HTTP protocol defines headers that all modern browsers understand and use to protect user or site data. Additionally, the built-in redirect and referrer validation mechanisms add further protection against Open Redirect and Cross-site Request Forgery types of attacks.
Sitefinity CMS adds another layer of protection to your site. The system sends HTTP headers to configure web clients (browsers) and turn on their built-in security features. The system also screens for any redirects and web service calls to unvalidated domains.
The site administrators are responsible for the security. You should configure your site in such way that no other role, such as author, content editor, designer, or frontend user is able to add a reference to external resource, without explicit administrator's permission. The administrator should be able to configure the upgrade of the transport layer security, the prevention of clickjacking attacks, XSS protection, and more. Only administrators should be able to turn off the Web security module or its features.
How it works
When you activate the Web security module, a set of HTTP security headers are turned on and sent with each successful response to utilize the browser build-in security features.
If you have already configured the same HTTP response headers, for example in your web.config file, or have enforced them with code in the response, Sitefinity CMS does not modify them or append them a second time. In this case, the Web security module configuration for this header is ignored.
For Open Redirect protection, if the Web security module detects an attacker attempts to inject a redirection to a domain which is not configured as trusted, it intercepts this attempt and displays a warning screen.
To prevent CSRF attacks the Web security module introduces a whitelist of domains, from which external requests to the website can originate. This way, any calls to your website services that originate from domains other than the ones configured in the Referrer validation whitelist are blocked. In addition, Sitefinity CMS utilizes token-based protection as well as additional explicit sameSite cookie policy set to lax for all authentication cookies. It also validates the presence of a custom header for all cross-site requests to built-in web services routes when cookies are used for authentication. The custom header must be named X-Requested-With with any value.
In addition, the Sitefinity CMS Web Security module enables you to configure cookies protection that allows you to define a minimum security policy for all website cookies.