Topics

All topics

Security

Response headers allow list API

NEW TO SITEFINITY?

The response headers allow list API makes it possible to add domains to the Content-Security-Policy and Permissions-Policy headers and alter the value of the Cross-Origin headers while developing modules.

The API works only with Sitefinity CMS modules and static blob storage providers that implement the IHttpSecurityHeadersProvider interface.

The interface has the GetHeaders method where a list with headers can be added.

For the Content-Security-Policy and Permissions-Policy you can only add new domains via the API, while for the Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy you can only override the values of these headers if the values you introduce with the API are less strict than the values configured in the project.

Sample implementation

This is a sample implementation of the API without the context of the module it is incorporated in.

using System.Collections.Generic;
using Telerik.Sitefinity.Security.HttpSecurityHeaders;
using Telerik.Sitefinity.Security.HttpSecurityHeaders.HttpHeaderValues;
namespace SitefinityWebAPP
{
/// <summary>
/// Only Sitefinity modules and static blob storage providers implementing the interface will be taken into account.
/// </summary>
public class CustomModule : IHttpSecurityHeadersProvider
{
/// <summary>
/// Gets a collection of the security headers required by the module.
/// </summary>
/// <param name="httpSecurityHeadersFactory"></param>
/// <returns>The collection of headers</returns>
public IEnumerable<IHttpSecurityHeader> GetHeaders(HttpSecurityHeadersFactory httpSecurityHeadersFactory)
{
var headers = new List<IHttpSecurityHeader>();
// Content-Security-Policy domains will be added to the existing CSP header.
var contentSecurityPolicy = httpSecurityHeadersFactory.CreateContentSecurityPolicyHeader();
contentSecurityPolicy.AddHeaderValues("default-src", "custom-domain.com");
contentSecurityPolicy.AddHeaderValues("script-src", "custom-cdn.com", "*.another-cdn.com");
headers.Add(contentSecurityPolicy);
// Permissions-Policy values will be added to the existing Permissions-Policy header.
// * will override the values of the directive it's passed to.
var permissionsPolicy = httpSecurityHeadersFactory.CreatePermissionsPolicyHeader();
permissionsPolicy.AddHeaderValues("autoplay", "*");
permissionsPolicy.AddHeaderValues("camera", "custom-domain.com");
headers.Add(permissionsPolicy);
// Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy can only be overridden by a less strict value.
var crossOriginEmbedderPolicy = httpSecurityHeadersFactory.CreateCrossOriginEmbedderPolicyHeader();
crossOriginEmbedderPolicy.Value = CrossOriginEmbedderPolicyValues.UnsafeNone;
headers.Add(crossOriginEmbedderPolicy);
return headers;
}
}
}
view raw ResponseHeadersAllowListAPI.cs hosted with ❤ by GitHub

Want to learn more?

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?