Hardening XP with Security Headers and Content Security Policy

At a recent Enonic Meetup, Vigdis—Tech Lead and Web Developer at Bouvet—shared how to improve the security posture of Enonic applications by configuring security headers, with a deep dive into the Content Security Policy (CSP).

Drawing on nearly seven years of experience working with Enonic solutions across multiple clients, Vigdis offered a practical, code-oriented walkthrough aimed at developers and teams looking to enforce modern browser-side protections.

See the presentation:

Why Security Headers Matter

Security headers are a powerful and often underused way to protect web applications from common vulnerabilities like cross-site scripting (XSS), clickjacking, and man-in-the-middle attacks.

By instructing browsers how to handle content, frames, MIME types, and external scripts, headers serve as a defensive layer in your web stack.

Among the most relevant headers are:

• Strict-Transport-Security: Forces HTTPS and mitigates SSL stripping attacks.
• X-Frame-Options and Frame-Ancestors: Prevent unauthorized embedding of your site.
• X-Content-Type-Options: Ensures correct MIME types are enforced.
• Referrer-Policy: Controls what referrer data is sent with all requests.
• Permissions-Policy: Denies access to various browser features (like camera, geolocation, or autoplay), or explicitly allows specific origins to use them.
• Content-Security-Policy (CSP): The most detailed and customizable of all—defining what content is allowed to load and from where.

Content Security Policy in Practice

The core of Vigdis’ presentation focused on CSP. Unlike simpler headers, CSP gives developers fine-grained control over which resources are allowed, including scripts, images, styles, and frames.

By default, CSP should be as restrictive as possible. Vigdis demonstrated starting with default-src 'none', which blocks everything, and then selectively allowing only trusted sources for:

• script-src, style-src, and img-src (typically set to 'self')
• frame-src for allowing embeds from platforms like YouTube, X, or Instagram
• Inline scripts via hashes or nonces, instead of the insecure unsafe-inline

Vigdis explained how different scenarios call for different strategies. Static inline scripts can be whitelisted using a hash, while dynamic or user-configured content should use a nonce. This is a random value generated per request that gets attached to both the script and the header.

Configuring Headers in Enonic XP

Using the Security Headers app in Enonic XP, Vigdis walked through setting up common headers via a simple admin interface.

For Enonic Cloud deployments, some headers—like Strict-Transport-Security—should be configured at the platform level to avoid duplication.

The app allows direct configuration of CSP rules, and Vigdis showcased a custom example with support for generating and injecting nonces via Java-based response processors.

She also demonstrated how to manually calculate a hash for a script and apply it via the app—highlighting the importance of byte-perfect matching (even extra spaces or newlines will change the hash).

Preview mode in Enonic doesn't enforce CSP, which makes it easier to troubleshoot configuration changes before going live.

Chrome's built-in developer tools help identify blocked resources and offer suggestions for hashes or sources to allow.

Key Takeaways

To close, Vigdis shared some best practices:

• Use security headers wherever possible—they’re easy to set up in Enonic and provide real value.
• For CSP, default to the strictest rules and explicitly allow only what’s necessary.
• Avoid unsafe-inline—use hashes for static scripts, and nonces for dynamic ones.
• Periodically review and update your headers as your application evolves.

Security might not always be the most glamorous part of development—but as Vigdis showed, with the right tools and a bit of planning, it can be both effective and manageable within the Enonic platform.

Want to strengthen your Enonic solution with CSP and other headers? Check out the Security Headers app or talk to your team about implementing these best practices today.