RECOMMENDATION: If you are using a version of The Portal Connector higher than 4.0, we strongly recommend utilizing the MVC based widgets and components to create your site. This documentation is for legacy purposes only and will soon be deprecated.

Configure Predefined Security Policies and HTTP Response Headers

PLEASE NOTE: These instructions apply to Sitefinity Standard versions without the Web Security Module. For all other versions, follow the steps to Add Web Security - Trusted Sources.
  1. Open your webconfig and place the following code after the <system.webServer> section.
  2. <system.webServer>



          <remove name="X-Powered-By" />

          <!-- Protects against Clickjacking attacks. -->

          <add name="X-Frame-Options" value="sameorigin" />

          <!-- Protects against Clickjacking attacks. -->

          <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />

          <!-- Protects against XSS injections. -->

          <add name="X-XSS-Protection" value="1; mode=block" />

          <!-- Protects against MIME-type confusion attack. -->

          <add name="X-Content-Type-Options" value="nosniff" />

          <!-- CSP modern XSS directive-based defence.-->

          <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' * * * * * *; style-src 'self' 'unsafe-inline' * * *; font-src 'self' data:; img-src 'self' * * * https://* https://* * data: blob: *; media-src 'self' data: blob:; child-src 'self'; connect-src 'self' https://* https://* * * *;/>

          <add name="Referrer-Policy" value="same-origin" />


              <!-- Enable CORS in Sitefinity.-->

          <add name="Access-Control-Allow-Origin" value="https://{domain}" />  <!--Single domain or * (all)-->




  3. Save it and build your project.
  4. Your Sitefinity project now has the Content-Security-Policy set up.