Content Content Security Policy (CSP)
Implement a Content Security Policy (CSP) to protect your Umbraco site from XSS and data injection.
This check verifies if your site has a Content Security Policy (CSP) header to defend against Cross-Site Scripting (XSS) and data injection attacks.
How to fix this health check
This health check can be fixed by adding a header before the response is started.
Preferable you use a security library like NWebSec.
Adding a Content Security Policy (CSP) using NWebSec
If you take a NuGet dependency on NWebsec.AspNetCore.Middleware/, you can use third extension methods on IApplicationBuilder.
...
WebApplication app = builder.Build();
app.UseCsp(options => options
.ImageSources(s => s
.Self()
.CustomSources(
"our.umbraco.com data:",
"dashboard.umbraco.com"))
.DefaultSources(s => s
.Self()
.CustomSources(
"our.umbraco.com",
"marketplace.umbraco.com"))
.ScriptSources(s => s
.Self())
.StyleSources(s => s
.Self())
.FontSources(s => s
.Self())
.ConnectSources(s => s
.Self())
.FrameSources(s => s
.Self()));
Adding a Content Security Policy (CSP) using manual middleware
Avoid third-party library dependencies by using custom middleware added to the request pipeline as shown below.
app.Use(async (context, next) =>
{
context.Response.Headers.Append("Content-Security-Policy", "img-src 'self' our.umbraco.com data: dashboard.umbraco.com; default-src 'self' our.umbraco.com marketplace.umbraco.com; script-src 'self'; style-src 'unsafe-inline' 'self'; font-src 'self'; connect-src 'self'; frame-src 'self'; ");
await next();
});