Configure Predefined Security Policies and HTTP Response Headers

PLEASE NOTE: These instructions apply to Sitefinity Standard versions without the Web Security Module. For all other versions, follow the steps to Add Web Security - Trusted Sources.
  1. Open your webconfig and place the following code after the <system.webServer> section.
  2. <system.webServer>

      <httpProtocol>

        <customHeaders>

          <remove name="X-Powered-By" />

          <!-- Protects against Clickjacking attacks. -->

          <add name="X-Frame-Options" value="sameorigin" />

          <!-- Protects against Clickjacking attacks. -->

          <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />

          <!-- Protects against XSS injections. -->

          <add name="X-XSS-Protection" value="1; mode=block" />

          <!-- Protects against MIME-type confusion attack. -->

          <add name="X-Content-Type-Options" value="nosniff" />

          <!-- CSP modern XSS directive-based defence.-->

          <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.gstatic.com  www.google.com *.google-analytics.com apis.google.com connect.facebook.net ajax.aspnetcdn.com https://www.youtube.com platform.twitter.com https://syndication.twitter.com/ https://s.ytimg.com https://publish.twitter.com *.twimg.com platform.linkedin.com http://platform.stumbleupon.com/1/widgets.js https://cdn.insight.sitefinity.com https://dec.azureedge.net/ munchkin.marketo.net *.eloqua.com js.hs-scripts.com js.hs-analytics.net *.en25.com cdn.ampproject.org code.jquery.com kendo.cdn.telerik.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.gstatic.com netdna.bootstrapcdn.com kendo.cdn.telerik.com www.google.com https://cdn.insight.sitefinity.com https://dec.azureedge.net platform.twitter.com/css/ *.twimg.com; font-src 'self' fonts.gstatic.com kendo.cdn.telerik.com netdna.bootstrapcdn.com data:; img-src 'self' *.gstatic.com *.googleapis.com *.google-analytics.com platform.tumblr.com web.facebook.com www.facebook.com https://delicious.com www.redditstatic.com www.linkedin.com i.ytimg.com https://syndication.twitter.com https://static.licdn.com/scds/common/u/images/apps/connect/sprites/sprite_connect_v14.png https://dec.azureedge.net https://*.insight.sitefinity.com https://*.dec.sitefinity.com pbs.twimg.com platform.twitter.com/css/ *.twimg.com data: blob: *.eloqua.com track.hubspot.com; media-src 'self' data: blob:; child-src 'self' https://platform.twitter.com/ https://syndication.twitter.com/ https://www.youtube.com/ https://www.youtube-nocookie.com https://player.vimeo.com/ https://w.soundcloud.com/ apis.google.com accounts.google.com staticxx.facebook.com www.facebook.com web.facebook.com badge.stumbleupon.com; connect-src 'self' accounts.google.com https://*.insight.sitefinity.com https://*.dec.sitefinity.com *.mktoresp.com *.google-analytics.com *.gstatic.com https://app.powerbi.com;/>

          <add name="Referrer-Policy" value="same-origin" />

             

              <!-- Enable CORS in Sitefinity.-->

          <add name="Access-Control-Allow-Origin" value="https://{domain}" />  <!--Single domain or * (all)-->

        </customHeaders>

      </httpProtocol>

    </system.webServer>


  3. Save it and build your project.
  4. Your Sitefinity project now has the Content-Security-Policy set up.