Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Nevena Nikolic 5 posts 25 karma points
    Sep 29, 2017 @ 09:02
    Nevena Nikolic
    0

    Hello everyone,

    we are trying to implement security headers on our website and one of them is Content-Security-Policy. I started adding sources that we trust, but i am having issues opening umbraco back office because it's trying to execute inline scripts.

    Also issue that i faced is that if i try putting hash value i always get "new one" it' looks like script is "generated" on the file, or there are 10+ scripts that are printed end executed inline.

    Is there any easy workaround for this issue that we are facing?

    Kind Regards

  • Sebastiaan Janssen 4847 posts 14391 karma points MVP admin hq
    Sep 30, 2017 @ 10:06
    Sebastiaan Janssen
    2

    I wrote about this in depth here: https://cultiv.nl/blog/so-you-want-to-secure-your-umbraco-site/

    Basically you need to ignore umbraco paths like so:

     <location path="umbraco">
      <system.webServer>
       <urlCompression doStaticCompression="false" doDynamicCompression="false" dynamicCompressionBeforeCache="false" />
       <httpProtocol>
        <customHeaders>
         <remove name="X-Frame-Options" />
         <add name="X-Frame-Options" value="SAMEORIGIN" />
         <remove name="Content-Security-Policy" />
         <add name="Content-Security-Policy" value="default-src 'self' www.gravatar.com player.vimeo.com *.vimeocdn.com packages.umbraco.org our.umbraco.org;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: www.gravatar.com umbraco.tv;font-src 'self';" />
        </customHeaders>
       </httpProtocol> 
      </system.webServer>
     </location>
    
  • Gary 77 posts 354 karma points
    24 days ago
    Gary
    0

    Hi Sebastiaan,

    Do you have an updated link? It seems that the link now goes to default Umbraco installation screen.

    Thank you :)

    Kind Regards,

    Gary

  • Nevena Nikolic 5 posts 25 karma points
    Oct 03, 2017 @ 13:05
    Nevena Nikolic
    0

    Hi Sebastiaan,

    this worked thank you a lot!

Please Sign in or register to post replies

Write your reply to:

Draft