I just have published a new release of the Ajax.NET Professional library including several new security features. Please check out ajaxpro.info for further details.

Security Settings

In web.config you can configure different security related settings.

One of the most important is to set a Content-Security-Policy HTTP response header to ensure to trust only JavaScript and other resources that are coming from your web server or trusted locations. As AjaxPro is generating some JavaScript files on-the-fly you can set the JavaScript nonce in your web.config:

<configuration>
	<ajaxNet>
		<ajaxSettings>
			<contentSecurityPolicy nonce="abcdefghijklmnopqrstuvwxyz" />
		</ajaxSettings>
	</ajaxNet>
	<system.webServer>
		<httpProtocol>
			<customHeaders>
				<add name="Content-Security-Policy" 
					 value="frame-ancestors www.mydomain.com; script-src 'self' https://www.mydomain.com 'unsafe-eval' 'unsafe-hashes' 'nonce-abcdefghijklmnopqrstuvwxyz';" />
			</customHeaders>
		</httpProtocol>
	</system.webServer>
</configuration>