Manage your security headers in EPiServer

As security is getting more and more important these days, as if it wasn’t before… you probably add some response headers to add some extra security. Problem is, I find, that if you set them to strict or to easy, you will need a new deploy, if you manage them in your web.config.

There is a nice library called NWebsec that you can use to do it in code. But you will also need a deploy to change your settings.

I have uploaded a package to EPiServer NuGet where you can manage them in admin mode. It uses NWebsec to enforce the settings you configure there. The source is on GitHub as usual.

Just remember to exclude the NWebsec assemblies from being scanned by EPiServer, as an error will be thrown.

<episerver.framework>
    ...
    <scanAssembly forceBinFolderScan="true">
      <add assembly="*"/>
      <remove assembly="NWebsec" />
      <remove assembly="NWebsec.Core" />
      <remove assembly="NWebsec.Mvc" />
    </scanAssembly>
    ...
</episerver.framework>

One last thing, as the settings are loaded on start up, changing them will restart your website. Just so you know.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s