.svg){kind=small}
Sitecore Content Security Policy
Overview
Are you looking for a way to manage Content Security Policy in Sitecore without triggering app pool restarts?
We’ve developed a dynamic Content Security Policy (CSP) solution for Sitecore that eliminates the need to modify the web.config file. This custom implementation enables real-time CSP configuration within the Sitecore Content Editor—with zero downtime and no recycling of the application domain.
CSP in web.config Triggers Restarts
Traditionally, CSP settings in Sitecore are managed by adding <customHeaders> entries in the web.config file, like so:
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' 'unsafe-inline';" />
</customHeaders>
</httpProtocol>
While this works, any change to web.config causes Sitecore to restart, which may lead to:
- 30–40 minutes of website outage
- Delays during deployments
- Frustrated content teams and developers
Custom CSP Configuration Inside Sitecore
We created a custom Sitecore CSP modulethat allows full CSP policy control using Sitecore items—no web.configchanges required.
Instead of editing files on the server, adminscan now manage CSP directives inside the Sitecore tree:
/sitecore/content/<SiteName>/Primary/Settings/Site Grouping/<SiteDomain>/CSP/
Each CSP directive has its own item:
- default-src
- script-src
- img-src
- connect-src
- and more...
Each directive item references CSP value definitions, such as:
- 'self'
- 'unsafe-inline'
- nonce-cspScrpt
- connect-src
- Third-party URLs (e.g., https://cdn.jsdelivr.net, https://fonts.googleapis.com)
Key Benefits
Avoid Sitecore Restarts
Manage Content Security Policy without touching web.config—preventing app pool restarts and ensuring uninterrupted uptime.
Runtime CSP Header Injection
Our custom Sitecore pipeline dynamically assembles and injects the Content-Security-Policy header during request processing.
User-Friendly CSP Management for Content Authors
No developer or DevOps involvement needed. Your team can add or remove CSP entries directly in the Sitecore interface.
Complete Support for All CSP Directives
The system supports: script-src, img-src, style-src, frame-src, font-src, connect-src, media-src, and others
How It Works
1. Editable CSP Configuration Tree in Sitecore
Each directive (script-src, img-src, etc.) isrepresented as a node in the Sitecore content tree.
2. Shared List of Allowed Sources
Reference centrally maintained CSP sources like:
- 'self'
- data:
- blob:
- Third-party libraries (CDNs, analytics, font providers)
3. Runtime Evaluation Pipeline
A custom Sitecore pipeline gathers the selected values and generates the correct CSP header dynamically, inserted into every HTTP response.
Why It Matters
This is a best practice approach formodern Sitecore development—especially for high-traffic or continuouslyevolving environments. You gain:
- Fewer deployment headaches
- Stronger content governance and DevOps alignment
- Improved Sitecore security posture
- Faster time-to-value for new third-party integrations
Get Started
Want to implement dynamic Content Security Policy headers in Sitecore without restarts?
Try Harlem and experience
the web in a new way.
Apiqu is a premium Sitecore Consulting & Development company that delivers full-cycle software development services.
Apiqu Inc © 2024. All Rights Reserved