MultiSite support

[kashifjawedgravitas]

Hi Stott,

Does this module support the multisite solution as well?

Can I setup different security header per site?

[GeekInTheNorth]

Hello @kashifjawedgravitas

At this point in time, the security headers are applied globally and are not specific to a site within the Optimizely instance. I don't believe this is a function that exists in competing products right now. What this module does have compared to others is security headers being applied to the CMS back end and the ability to extend CSP sources for very specific pages, ability to configure CORS and a full audit of changes.

I am currently planning what Optimizely CMS SAAS looks like for this solution. This will include separation of security headers for front and back end. I can look at how this could be extended to include multi-site support and I'm happy to take any feedback on that.

[kashifjawedgravitas]

Hi

few questions, I want to add some headers like "Permissions-Policy" and want to remove the below

• Server
• X-Powered-By
• x-aspnet-version

How can I achieve the with the module?

[jonasboman]

These headers should be removed using IIS. I have done that on a website using Optimizely 12 hosted on-prem.

[GeekInTheNorth]

@jonasboman I can see why you might then want the ability to remove those headers if you are self hosted using windows and IIS. I'll add an enhancement request to do this.

I would add that if you are self hosted, then it's worth considering moving to Linux based self-hosting as this is what Optimizely are primarily targeting for any DXP based testing. Also you'll get more performance for your hardware as well. Granted this isn't always possible depending on the client. I currently have a test system that is hosted in an Azure WebApp hosted in Linux using .NET 8.0 and I don't have the header concern there either.

[jonasboman]

I would be nice to try hosting on linux sometimes :)

[GeekInTheNorth]

Hi @kashifjawedgravitas

This module is for Optimizely CMS 12 only which is built on .NET Core 6+. As such X-Powered-By, Server and x-aspnet-version are not emitted by the server in this scenario so there isn't a header to remove. If you deploy into DXP, Cloudflare will also set the Server header to be Cloudflare and this happens after the request has left the server so you cannot remove it.

In terms of Permissions-Policy, that is currently on the road map to be added to the module, but is not currently available. In this scenario you are best adding a middleware that creates that policy header.

Can you clarify if you are using Optimizely CMS 11? if so I can direct you at an alternate solution.

Regards,
Mark

[kashifjawedgravitas]

Hi
Thanks for a quick response, we are working on CMS 12.

I'll follow your suggestion to create a middleware for headers that I need to add out of box.

Once again thank you for the support.