New Blog Address

Blog moved to blog.schwarz-interactive.de

Dear blog reader,
I moved my content to blog.schwarz-interactive.de and will not add any new post here.

It was a pleasure to have you as my reader here.

Stay safe and healthy!

I will shortly redirect you to my new blog address...

New security features added to Ajax.NET Professional

I just have published a new release of the Ajax.NET Professional library including several new security features. Please check out ajaxpro.info for further details.

Security Settings

In web.config you can configure different security related settings.

One of the most important is to set a Content-Security-Policy HTTP response header to ensure to trust only JavaScript and other resources that are coming from your web server or trusted locations. As AjaxPro is generating some JavaScript files on-the-fly you can set the JavaScript nonce in your web.config:

<configuration>
	<ajaxNet>
		<ajaxSettings>
			<contentSecurityPolicy nonce="abcdefghijklmnopqrstuvwxyz" />
		</ajaxSettings>
	</ajaxNet>
	<system.webServer>
		<httpProtocol>
			<customHeaders>
				<add name="Content-Security-Policy" 
					 value="frame-ancestors www.mydomain.com; script-src 'self' https://www.mydomain.com 'unsafe-eval' 'unsafe-hashes' 'nonce-abcdefghijklmnopqrstuvwxyz';" />
			</customHeaders>
		</httpProtocol>
	</system.webServer>
</configuration>