Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Nevena Nikolic 5 posts 25 karma points
    Sep 29, 2017 @ 09:02
    Nevena Nikolic
    0

    Content-Security-Policy

    Hello everyone,

    we are trying to implement security headers on our website and one of them is Content-Security-Policy. I started adding sources that we trust, but i am having issues opening umbraco back office because it's trying to execute inline scripts.

    Also issue that i faced is that if i try putting hash value i always get "new one" it' looks like script is "generated" on the file, or there are 10+ scripts that are printed end executed inline.

    Is there any easy workaround for this issue that we are facing?

    Kind Regards

    Copy Link
  • Sebastiaan Janssen 4899 posts 14655 karma points MVP admin hq
    Sep 30, 2017 @ 10:06
    Sebastiaan Janssen
    2

    I wrote about this in depth here: https://cultiv.nl/blog/so-you-want-to-secure-your-umbraco-site/

    Basically you need to ignore umbraco paths like so:

     <location path="umbraco">
  <system.webServer>
   <urlCompression doStaticCompression="false" doDynamicCompression="false" dynamicCompressionBeforeCache="false" />
   <httpProtocol>
    <customHeaders>
     <remove name="X-Frame-Options" />
     <add name="X-Frame-Options" value="SAMEORIGIN" />
     <remove name="Content-Security-Policy" />
     <add name="Content-Security-Policy" value="default-src 'self' www.gravatar.com player.vimeo.com *.vimeocdn.com packages.umbraco.org our.umbraco.org;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: www.gravatar.com umbraco.tv;font-src 'self';" />
    </customHeaders>
   </httpProtocol> 
  </system.webServer>
 </location>
    Copy Link
  • Gary 78 posts 375 karma points
    Oct 28, 2019 @ 14:24
    Gary
    0

    Hi Sebastiaan,

    Do you have an updated link? It seems that the link now goes to default Umbraco installation screen.

    Thank you :)

    Kind Regards,

    Gary

    Copy Link
  • Nevena Nikolic 5 posts 25 karma points
    Oct 03, 2017 @ 13:05
    Nevena Nikolic
    0

    Hi Sebastiaan,

    this worked thank you a lot!

    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies