- Open your webconfig and place the following code after the <system.webServer> section.
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<!-- Protects against Clickjacking attacks. -->
<add name="X-Frame-Options" value="sameorigin" />
<!-- Protects against Clickjacking attacks. -->
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
<!-- Protects against XSS injections. -->
<add name="X-XSS-Protection" value="1; mode=block" />
<!-- Protects against MIME-type confusion attack. -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- CSP modern XSS directive-based defence.-->
<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.gstatic.com www.google.com *.google-analytics.com apis.google.com connect.facebook.net ajax.aspnetcdn.com https://www.youtube.com platform.twitter.com https://syndication.twitter.com/ https://s.ytimg.com https://publish.twitter.com *.twimg.com platform.linkedin.com http://platform.stumbleupon.com/1/widgets.js https://cdn.insight.sitefinity.com https://dec.azureedge.net/ munchkin.marketo.net *.eloqua.com js.hs-scripts.com js.hs-analytics.net *.en25.com cdn.ampproject.org code.jquery.com kendo.cdn.telerik.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.gstatic.com netdna.bootstrapcdn.com kendo.cdn.telerik.com www.google.com https://cdn.insight.sitefinity.com https://dec.azureedge.net platform.twitter.com/css/ *.twimg.com; font-src 'self' fonts.gstatic.com kendo.cdn.telerik.com netdna.bootstrapcdn.com data:; img-src 'self' *.gstatic.com *.googleapis.com *.google-analytics.com platform.tumblr.com web.facebook.com www.facebook.com https://delicious.com www.redditstatic.com www.linkedin.com i.ytimg.com https://syndication.twitter.com https://static.licdn.com/scds/common/u/images/apps/connect/sprites/sprite_connect_v14.png https://dec.azureedge.net https://*.insight.sitefinity.com https://*.dec.sitefinity.com pbs.twimg.com platform.twitter.com/css/ *.twimg.com data: blob: *.eloqua.com track.hubspot.com; media-src 'self' data: blob:; child-src 'self' https://platform.twitter.com/ https://syndication.twitter.com/ https://www.youtube.com/ https://www.youtube-nocookie.com https://player.vimeo.com/ https://w.soundcloud.com/ apis.google.com accounts.google.com staticxx.facebook.com www.facebook.com web.facebook.com badge.stumbleupon.com; connect-src 'self' accounts.google.com https://*.insight.sitefinity.com https://*.dec.sitefinity.com *.mktoresp.com *.google-analytics.com *.gstatic.com https://app.powerbi.com;" />
<add name="Referrer-Policy" value="same-origin" />
<!-- Enable CORS in Sitefinity.-->
<add name="Access-Control-Allow-Origin" value="https://{domain}" /> <!--Single domain or * (all)-->
</customHeaders>
</httpProtocol>
</system.webServer>
- Save it and build your project.
- Your Sitefinity project now has the Content-Security-Policy set up.