Progress Sitefinity 11.0 is coming with a new Web Security Module that supports the configuration of HTTP response headers through the Administration section from your website admin panel. I am very proud to say that Progress Sitefinity is the first CMS on the market to provide built-in support on that level and follows the latest trends by utilizing the browser capabilities in favor of your website security.
In a previous blog post (“7 Security Response Headers Your WCMS ..”) we discussed the top 7 HTTP response headers your CMS should be aware of. Please take a look at that post to learn more about why this is so important.
Getting Started – The Quick Version
Looking to learn about the Web Security Module through a quick tutorial? Here are two videos that capture the essence of it.
How does the module protect you?
In this video the Progress Sitefinity team explains how the module actually works and what happens when it is turned on.
How do you turn the module on smoothly?
When some of the headers are applied without finetuning, the module could block the loading of some resources. Watch this video and see the recommended technique to avoid this in conjunction with the Sitefinity Diagnostic module
How the Security Module Works – The Details
When you first enable the Web Security Module most of the HTTP security headers are turned on and will be sent with each successful response to use the browser’s built-in security features.
If the same HTTP Response Headers have been configured already (e.g. in web.config) or have been set with code in the response, Sitefinity won't modify them or append them again. In this case Sitefinity's configuration for this header will be ignored.
By default, new projects start with the Web Security Module turned on.
Upgraded sites, from versions lower than 11.0 to version 11.0 and up, will have the Web Security Module turned off by default. In order to use its features, the module should be activated by going to Administration -> Modules and Services -> Web Security and turning it on.
Warning: Turning on the Web Security module (and applying security HTTP Response Headers respectively) on a running site may cause some content to be blocked by the browser. You have to configure the restrictions for your site (e.g. which external sources are trusted and allow loading resources from them).
The configuration part is straightforward, and as usual you can Activate/Deactivate the Web Security Module from Administration -> Modules and Services. Its configurations could be found in Administration -> Settings -> Advanced -> Web Security. All HTTP security response headers can be turned off/on and each security header can be configured and turned on/off separately.
Although Sitefinity comes out of the box with many HTTP Response Headers, preconfigured HTTP protocol and browsers evolve and there might be more and more in the future. The list should be extended as needed and configurations should be kept up to date.
If other response headers should be added they can be set in the configuration.
Industry Info and Verification
To get additional information about recommendations for security headers, you can check out what OWASP (the Open Web Application Security Project) has to say here. Another list of HTTP security headers could be found on the Mozzilla’s website (look at the security section).
To check if your website is following the latest and greatest practices, you can also scan your URL through securityheaders.io.
Providing out of the box support for HTTP Response Headers is the first step of the Web Security Module development. Please let us know what you would like to see in it, so we can include it in our roadmap.