Adds a module to the admin site for easy configuration of Content Security Policy (CSP) headers for web channels.
Once installed, a new module appears in the navigation and the dashboard:
Screen for creating a new CSP configuration (on a per source url basis):
Listing shows all configurations, including which web channel they are assigned to.
Xperience Version | Library Version |
---|---|
>= 29.1.4 | 2.0.0 |
>= 28.3.0 | 1.0.0 |
Add the package to your application using the .NET CLI
dotnet add package XperienceCommunity.CSP
-
Install NuGet package above.
-
Register the CSP management services using
builder.Services.AddXperienceCommunityCspManagement()
:// Program.cs var builder = WebApplication.CreateBuilder(args); builder.Services.AddKentico(); // ... builder.Services.AddXperienceCommunityCspManagement();
-
Register the CSP management middleware using
app.UseXperienceCommunityCspManagement()
:var app = builder.Build(); app.UseKentico(); // ... app.UseXperienceCommunityCspManagement();
-
That's it, launch your website and the module should be installed ready to go! Once you've configured your CSP headers, load a page on the website and check the headers in your browser console.
This module supports the use of nonces in your CSP headers.
When creating a new CSP configuration, you can enable or disable a nonce being added for the selected directives. This will add a nonce to the header.
You are responsible for adding the nonce to your inline scripts and styles. You can use the CspNonceService
to get the current nonce value. This service can be injected into your services, controllers, or views.
public class MyService
{
private readonly ICspNonceService _cspNonceService;
public MyService(ICspNonceService cspNonceService)
{
_cspNonceService = cspNonceService;
}
public string GetNonce()
{
return _cspNonceService.Nonce;
}
}
Feel free to submit issues or pull requests to the repository, this is a community package and everyone is welcome to support.
Distributed under the MIT License. See LICENSE.md
for more information.