Content Security Policy Module

Kentico Marketplace Module - Content Security Policy

The Content Security Policy Module allows a content security policy to be managed via the Kentico administration.  

A Content Security Policy is an HTTP header that tells the browser which resources are allowed on the page. It is a white list of resources allowed based on type (style, script, etc.).

Once installed, go to the Kentico Administration => Settings => Security => Content Security Policy to manage the settings.

By default, the settings are set to ‘report only’.   This will build up a report of violations into the Content Security Policy Violation Reports application in Kentico.   Browse the website while in this mode to build up a list of warnings that can then be used to update the content security policy to match the requirements of your website.

The content security policy for the Kentico administration interface is set-up separately. The default allows the administration to work but can be overridden by creating an AppSetting in the web.config called "Crafted:ContentSecurityPolicy:AdminCSP" set to “true”.

In the case where the site becomes unresponsive due to the Content Security Policy being applied, you can disable the module by creating another AppSetting in the web.config called "Crafted:ContentSecurityPolicy:Enabled" set to "false".

Get the module now from the Kentico Marketplace

 

Please note

  • Content security policies can break your site.  It is advised to be familiar with content security policies when installing the module. In addition, you should always try out the module first in a test environment before applying to a production environment.
  • Crafted accepts no liability of your use of the module.

 

For more details on Content Security Policy, please visit https://developer.mozilla.org/en-US/docs/Web/Security/CSP.