Skip to content

Add Content Security Policy headers for MvpSite and Sugcon2024#589

Merged
robearlam merged 3 commits into
mainfrom
feature/add-content-security-policy-headers
May 13, 2026
Merged

Add Content Security Policy headers for MvpSite and Sugcon2024#589
robearlam merged 3 commits into
mainfrom
feature/add-content-security-policy-headers

Conversation

@robearlam

@robearlam robearlam commented May 13, 2026

Copy link
Copy Markdown
Member

Summary

Adds Content Security Policy (CSP) and supplementary security headers to both head applications.

MvpSite (ASP.NET Core)

  • Added CSP middleware in Program.cs with allowlisted domains for:
    • Scripts: jQuery, Bootstrap, Popper.js, anime.js, Google Analytics, Moosend tracking, W3C ARIA, Sitecore Edge
    • Styles: Bootstrap, Font Awesome, Google Fonts (Albert Sans, DM Sans)
    • Images: Google Analytics, Sitecore Edge, Content Hub CDN (delivery-sitecore.sitecorecontenthub.cloud)
    • Fonts: Google Fonts, Font Awesome (cdnjs)
    • Connections: Google Analytics, Moosend, Sitecore Edge
    • Frame ancestors: Sitecore Pages/XM Cloud (for editing support)

Sugcon2024 (Next.js)

  • Added headers() configuration in next.config.ts with allowlisted domains for:
    • Scripts: Google Analytics/Tag Manager, Sitecore Edge
    • Styles: Google Fonts (Open Sans, Mulish, Roboto), Font Awesome (cdnjs)
    • Images: Sitecore Edge/Cloud, *.sugcon.events, Google Analytics
    • Fonts: Google Fonts, Font Awesome (cdnjs)
    • Connections: Google Analytics, Sitecore Edge Platform
    • Frames: YouTube embeds
    • Frame ancestors: Sitecore Pages/XM Cloud (for editing support)

Supplementary Security Headers (both sites)

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()

Notes

  • CSP domains were validated against the live sites (mvp.sitecore.com, *.sugcon.events)
  • 'unsafe-inline' and 'unsafe-eval' are required for existing inline scripts (Google Analytics, Moosend) and can be tightened with nonce-based CSP in a follow-up
  • object-src 'none' blocks legacy plugins per OWASP recommendations

robearlam added 2 commits May 13, 2026 11:08
@robearlam
Add Content Security Policy headers for MvpSite and Sugcon2024
034e758 
- Add CSP middleware to MvpSite ASP.NET Core app with allowlisted domains
  for Bootstrap, jQuery, Font Awesome, Google Analytics, Moosend, Sitecore
  Edge, and Content Hub CDNs
- Add CSP headers to Sugcon2024 Next.js config with allowlisted domains
  for Google Analytics, Google Fonts, Font Awesome, YouTube embeds, and
  Sitecore Edge/XM Cloud
- Add supplementary security headers: X-Content-Type-Options, X-Frame-Options,
  Referrer-Policy, and Permissions-Policy for both sites
@robearlam
Merge branch 'main' into feature/add-content-security-policy-headers
9bc375f
@robearlam robearlam merged commit da3808a into main May 13, 2026
14 checks passed
@robearlam robearlam deleted the feature/add-content-security-policy-headers branch May 13, 2026 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sc-ivanlieckens sc-ivanlieckens sc-ivanlieckens approved these changes

@lovesitecore lovesitecore Awaiting requested review from lovesitecore

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@robearlam @sc-ivanlieckens