Is there an existing issue for this?

• I have searched the existing issues

Description of problem

Create a possibility to generate Content security policy (csp) headers .
Content Security Policy is a crucial security standard that helps protect your web applications from various types of attacks, including Cross-Site Scripting (XSS), clickjacking, and other code injection attacks. It works by allowing you to specify which resources (scripts, styles, images, etc.) your browser should be allowed to load.
more info about Content security policy

Description of solution

3 http headers will be managed

• Content-Security-Policy
• Content-Security-Policy-Report-Only
• Reporting-Endpoints

Portal Settings

• activate csp : Enabled/Report Only/Disabled.
• default csp policy.
• activate reporting endpoint with 3 kind of reporting : email, log file, DNN Event logs.
• custom Reporting url

Risk for DDOS attack on this endpoint, we to manage some rate limits on this reporting endpoint.
There is also need to write some documentation for module developers and skin developers to tell how to contribute to the CSP policy.

Suggested Implementation

A new CSP service where everyone (dnn core, skins, modules) can contribute to csp.
It is also responsible for generating a nonce for inline js.

Every inline javascript need to get a nonce attribute.

In the webforms pipeline we need to accept inline and eval js.
In the mvc pipeline we can be strict.

Analyze if all resources added by Client Resources Manager can be added automatically.

Anything else?

Do you plan to contribute code for this enhancement?

• Yes

A first version of it exists already in the MVC Pipeline.
DNN Platform/DotNetNuke.ContentSecurityPolicy

Would you be interested in sponsoring this enhancement?

• Yes

Code of Conduct

• I agree to follow this project's Code of Conduct