Sometimes it can be necessary to set certain HTTP headers to increase the security of your Sitecore site. Many customers of us have requested such a feature and therefore we implemented this functionality where a site admin can set various HTTP headers in the Sitecore backend.
With this post I want to show you how can set HTTP headers with Sitecore on the basis of the two important HTTP headers Content-Security-Policy (helps to prevent attacks) and X-Frame-Options (helps to avoid clickjacking attacks).
1) Create a Template
First, you need to create a Sitecore template with the following fields:
Second, decide which mechanism to set the response headers you want to choose:
- Central configuration: Create an item from this template (or your already existing configuration template inherits this new template)
- Each layout item controls the HTTP headers: Add this template to your layout templates if you want to control the HTTP headers for each page separately
2) Write a custom HttpRequest Processor
In order to set the HTTP headers you have to write a custom HttpRequest processor.
Please keep in mind that the following code examples overwrite the values which are already in the HTTP headers. You may have to change the implementation here if you want a different approach (maybe you want to merge the values or you don't want to set them at all if the headers are already set).
2.1) Central Configuration Item:
2.2) Each layout item controls the HTTP headers:
In this example the central configuration item is a fallback if the fields on the context item are not set or the item has no values in the fields.
3) Create a patch config
The last step is to create a patch config which hooks your custom HttpRequest processor in the httpRequestEnd pipeline from Sitecore. In our example we inserted the processor at the end of the httpRequestEnd pipeline where you have the biggest control over the HTTP headers (for example you can check if the headers were already set etc.).
That was about it. With the help of this guide you can also set other or additional HTTP headers of course.