Overview
This article provides information on how to apply SRI and CSP on a DNN website.
Environment
Tested on DNN 9.1.1 and above.
Requirements
Admin Access to DNN Website.
Process
The HTTP Content-Security-Policy (CSP) response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
To apply both of them to your website please follow the steps described below:
- To add CSP (Content Security Policy) you need to add a meta tag to your website, you can do that in the Persona Bar Menu > SETTINGS > Site Settings > Site Behavior > Page Output Settings.
- Add this meta tag to the HTML Page Header Tags box:
<meta http-equiv="Content-Security-Policy" content="require-sri-for script style">
- To add SRI (Subresource Integrity) to every script that you load from an external site (CDN for example) you must use the integrity and crossorigin html attributes for each particular script or style, for example the following script:
<script src="//www.somepage.com/plus/scripts/ba.js" type="text/javascript"></script>
must be converted to this:
<script src="//www.somepage.com/plus/scripts/ba.js" integrity="sha256-Abhisa/nS9WMne/YX+dqiFINl+JiE15MC
- You can use a SRI Hash Generator to get this hash.
- Then you must replace your source files, everywhere where the script is present, change it for the secured one (by secured one we mean the one with the integrity hash and crossorigin html attributes
WvASJvVtIk=" crossorigin="anonymous"></script>
).
Confirmation
Adding the SRI Integrity Attribute allows the browser to determine if the file has been modified and that allows it to reject the file.
Comments
0 comments
Article is closed for comments.