January 23, 2018 | Una Verhoeven
Looking back on 2017, headlines about data breaches and data thefts have dominated the news. Web security is at the front of every business persons mind; Sitecore has described several key points for making your platform more secure, but I want to focus on just a few.
| What | Info | Source | 
| Strong password policy | Sitecore uses the Microsoft ASP.NET Membership Provider | https://msdn.microsoft.com/en-us/ | 
| Protect connection strings | Your data connections, if possible should be encrypted. | |
| Disable SQL Server access from XSLT | You should disablenxslExtension helper since you are not using XSLT renderings | |
| Secure Telerik controls | These controls are only used on CM machines and the web.config patches should be only applied there | |
| PhantomJS | PhantomJS is used by Sitecore to generate screenshots. You should limit the access to this executable | |
| Protect media requests | This feature restricts media URLs that contain dynamic image-scaling parameters, so that only server-generated requests can be processed. | 
Apart from the points above, there are several things you can do to make your site more secure.
HTTPS
Believe it or not, lots of sites nowadays are still not using HTTPS, or, even worse, they are using it partly (for example, everything behind the login is secured and the rest of the website is not). Regarding Sitecore, the best practise is to use HTTPS for both of your CD and CM machines.
1. Ensure that you have X509 certificates
2. Create the associated bindings on your Sitecore IIS instances
3. Make changes in the web.config
<system.web>
<httpcookies httponlycookies="true" requiressl="true" lockitem="true"/>
</system.web>
Headers
| Header Name | Property and Configs | 
| Remove X-Aspnet-Version HTTP header | <system.web> <httpRuntime enableVersionHeader ="false"/> </system.web> | 
| Remove X-Powered-By HTTP header | <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customerHeaders> <httpProtocol> | 
| Remove X-ASPNetMvc-Version HTTP header | MvcHandler.DisableMvcResponseHeader = true; <system.web> <httpRuntime enableVersionHeader="false" /> </system.web> | 
| Change X-Content-Type-Options | nosniff | 
| Set X-XSS-Protection to | 1; mode=block | 
| Set Referrer Policy to | no-referrer-when-downgrade | 
| Use HTTP Strict-Transport-Security response header | Strict-Transport-Security | 
Content Security Policy (CSP) 
CSP is an added layer of security that helps to detect and prevent certain types of attacks, like Cross Site Scripting (XSS) and data injection attacks. These attacks can be used from data theft to distribution of malware. Full documentation is available here:
To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header.
Example:
You can also check out this great example and reading material on CSP written by Troy Hunt.
How to test
When you open a browser console, you should not be able to execute Cross Site Scripting.
Note: Safari doesn’t like CSP. Since CSP is browser based, your testing should cover more than just Chrome and Firefox. Safari, for example, treats CSP quite differently than the other two browsers. Full detailed info has been described by Scott Helme.   
What to do about all the JS links that marketers place
If you are using Sitecore already, there is not much that other frameworks can do that you don’t have already built in. The more 3rd party frameworks you add, the more you need to think about security, GDPR and overall site performance. No one likes a site which takes time to load, especially on mobile devices.
Report URI
Report URI checks the monitoring of security policies like CSP and HPKP. Note: last year, it was announced that Google will no longer support HPKP and it will be deprecated in May of 2018. You can read about that here. 
Conclusion
If you have any questions, please feel free to reach out!