Sitefinity 11 - Web Security Module

Progress has released Version 11 of their Sitefinity CMS. The highlights of this release include:

• New content editing experience
• Support for web security
• VSIX extension for Visual Studio
• Improved documentation
• MVC widgets by default
• .NET 4.7.1 and C# 7 support

Today we’re going to look at the new web security module. This new module leverages new technology in the latest browsers (Chrome, Firefox, Safari, Edge, etc) to add an extra layer of security by sending out customized HTTP response headers. These are essentially messages from the Sitefinity server that help the web browser decide what content is valid and what content should be blocked. This helps to protect your website and user data from malicious attacks like injection or cross site scripting.

There are seven sets of security response headers that are included with Sitefinity 11:

• Content-Security-Policy - This header controls the URL locations of trusted resources. If a user inadvertently adds content to your website from an untrusted source, it will be blocked on a modern browser protecting both your site and the web visitor. Additionally, if a hacker manages to inject some code into one of your pages that refers visitors to an untrusted source, it will be blocked. System administrators can manage the white-list of trusted sources directly in the /Sitefinity backend.
  
  
• Public-Key-Pins - This prevents "man-in-the-middle" certificate attacks by informing the browser to link a public cryptographic key with a specific web server. This module requires additional configuration (such as loading in the public keys) so it is not enabled by default.
  
  
• Strict-Transport-Security - This header tells the browser to transmit all information over HTTPS and it will even convert HTTP requests into HTTPS as long as there was a previous connection to the server using a valid SSL certificate.
  
  
• X-Content-Type-Options - This enforces the application of MIME types to specific content on the page and prevents "sniffing" of content type (programs that will examine the actual bytes of the content to try and figure out whether an image is a .jpg or a .png for example). This prevents the transformation of a non-executable object (such as an image) into an executable one that could run malicious code.
  
  
• X-Frame-Options - This header prevents click-jacking attacks by telling the browser if the page is allowed to be rendered in a <frame>, <iframe> or <object> block.
  
  
• X-XSS-Protection - This header tells the browser to stop a page from loading when a reflected cross-site scripting (XSS) attack is detected. This is mostly for older browsers that don't yet support the Content-Security-Policy header.

To leverage this new module, it must be activiated in the /Sitefinity backend. It also requires a specific license to operate so you may need to check with your Sitefinity vendor to see if you are eligable to take advantage of it. Once enabled, some of the modules will require additional configuration before using them (for example: Public-Key-Pins). Click here to read Sitefinity's documentation on this module and how to use it.

Here is a  quick (5 minute) video that shows you how the new Web Security Module can protect your website and your users:

This new Web Security Module brings to bear some significant tools for web masters to use to protect their websites as well as their web visitors. Web security is a never ending battle, but as browser and server technologies improve, the web surfing experience for end users continually gets better.

You can learn more through the Progress Sitefinity Version notes here.