SHIM can be installed using NuGet Package Manager by searching for "SHIM". Alternatively, you can run the following command in the Package Manager Console:

Install-Package CypressDefense.Security.Shim


Or manually by modifying the web.config file in the three locations listed below. For a full list of configuration options, see the /Samples/DefaultConfiguration.xml file in the installation package.

Configuration Section Registration

<configSections>
  <section name="shim" 
     type="CypressDefense.Security.Shim.Configuration.ShimConfiguration, 
     CypressDefense.Security.Shim" />
</configSections>

HTTP Module Registration

<shim enabled="true"></shim>

SHIM Default Settings

<system.webServer>
  <modules>
    <add name="ShimModule" type="CypressDefense.Security.Shim.Module, 
       CypressDefense.Security.Shim" />
  </modules>
</system.webServer>

ASP.NET Web Forms Word of Caution

Out of the box, Content-Security-Policy and ASP.NET web forms do not play nicely together. The .NET framework emits a lot of inline JavaScript (_doPostBack, form validation, etc.), which uses eval functions and sets inline styles. As developers, we do not have any control of this and must adjust the CSP to allow .NET web forms to work properly. The following CSP configuration can be used to enable unsafe-inline and unsafe-eval. It should be noted that this is an insecure CSP configuration, but is still better than not using CSP at all. For more details on creating a CSP for your web site, see the following blog: http://www.cypressdatadefense.com/content-security-policy-webcast/

<contentSecurityPolicy>
  <defaultSource>
    <add value="self"/>
  </defaultSource>
  <scriptSource unsafeInline="true" unsafeEval="true">
    <add value="self"/>
  </scriptSource>
  <styleSource unsafeInline="true">
    <add value="self"/>
  </styleSource>
</contentSecurityPolicy>

Last edited Apr 8, 2015 at 5:40 PM by ejohn20, version 5