New security features added to Ajax.NET Professional

New release available

Michael Schwarz on Wednesday, November 3, 2021

I just have published a new release of the Ajax.NET Professional library including several new security features. Please check out ajaxpro.info [1] for further details.

Security Settings

In web.config you can configure different security related settings.

One of the most important is to set a Content-Security-Policy [2] HTTP response header to ensure to trust only JavaScript and other resources that are coming from your web server or trusted locations. As AjaxPro [1] is generating some JavaScript files on-the-fly you can set the JavaScript nonce in your web.config:

<configuration>
	<ajaxNet>
		<ajaxSettings>
			<contentSecurityPolicy nonce="abcdefghijklmnopqrstuvwxyz" />
		</ajaxSettings>
	</ajaxNet>
	<system.webServer>
		<httpProtocol>
			<customHeaders>
				<add name="Content-Security-Policy" 
					 value="frame-ancestors www.mydomain.com; script-src 'self' https://www.mydomain.com 'unsafe-eval' 'unsafe-hashes' 'nonce-abcdefghijklmnopqrstuvwxyz';" />
			</customHeaders>
		</httpProtocol>
	</system.webServer>
</configuration>