search

Content Content Security Policy (CSP)

Implement a Content Security Policy (CSP) to protect your Umbraco site from XSS and data injection.

This check verifies if your site has a Content Security Policy (CSP) header to defend against Cross-Site Scripting (XSS) and data injection attacks.

hashtag
How to fix this health check

This health check can be fixed by adding a header before the response is started.

Preferable you use a security library like NWebSecarrow-up-right.

hashtag
Adding a Content Security Policy (CSP) using NWebSec

If you take a NuGet dependency on NWebsec.AspNetCore.Middleware/arrow-up-right, you can use third extension methods on IApplicationBuilder.

...
WebApplication app = builder.Build();
app.UseCsp(options => options
    .ImageSources(s => s
        .Self()
        .CustomSources(
            "our.umbraco.com data:",
            "dashboard.umbraco.com"))
    .DefaultSources(s => s
        .Self()
        .CustomSources(
            "our.umbraco.com",
            "marketplace.umbraco.com"))
    .ScriptSources(s => s
        .Self())
    .StyleSources(s => s
        .Self())
    .FontSources(s => s
        .Self())
    .ConnectSources(s => s
        .Self())
    .FrameSources(s => s
        .Self()));

hashtag
Adding a Content Security Policy (CSP) using manual middleware

Avoid third-party library dependencies by using custom middleware added to the request pipeline as shown below.

PreviousClick-Jacking ProtectionNextContent/MIME Sniffing Protection

Last updated

Was this helpful?