Lombiq Helpful Libraries - Orchard Core Libraries - Security
October 28, 2025 ยท View on GitHub
There is a similar section for security extensions related to ASP.NET Core here. All of the services mentioned in both documents are included in the ConfigureSecurityDefaults() and ConfigureSecurityDefaultsWithStaticFiles() extensions.
These extensions provide additional security and can resolve issues reported by the ZAP security scanner.
Extensions
SecurityOrchardCoreBuilderExtensions: AddsBuilderExtensionsextensions. For example, theConfigureSecurityDefaultsWithStaticFiles()that provides some default security configuration for Orchard Core.
Attributes
ContentSecurityPolicyAttribute: You can add the[ContentSecurityPolicy(value, name)]attribute to any MVC action's method. This way you can grant per-action content security policy permissions, right there in the controller. These attributes are handled by theContentSecurityPolicyAttributeContentSecurityPolicyProvider.
Services
ExternalLoginContentSecurityPolicyProvider: Provides various directives for theContent-Security-Policyheader, allowing using external login providers that require special headers (like Microsoft login). Is automatically enabled when the affected features are enabled.GoogleAnalyticsContentSecurityPolicyProvider: Provides various directives for theContent-Security-Policyheader, allowing using Google Analytics tracking. Is automatically enabled when theOrchardCore.Google.Analyticsfeature is enabled or the provider is explicitly enabled for the current request via isstaticmethod.ReCaptchaContentSecurityPolicyProvider: Provides various directives for theContent-Security-Policyheader, allowing using ReCaptcha captchas. Is automatically enabled when theOrchardCore.ReCaptchafeature is enabled.ResourceManagerContentSecurityPolicyProvider: An abstract base class for implementing content security policy providers that trigger when the specified resource is included.VueContentSecurityPolicyProvider: An implementation ofResourceManagerContentSecurityPolicyProviderthat addsscript-src: unsafe-evalpermission to the page if it uses thevuejsresource. This includes any Vue.js resource in stock Orchard Core and the one in Lombiq.VueJs.Resources as well. This is necessary, because withoutunsafe-evalVue.js only supports templates that are pre-compiled into JS code.
You can configure optional or custom content security policy providers by implementing the IContentSecurityPolicyProvider interface and registering them in the DI container with AddContentSecurityPolicyProvider<TProvider>(), e.g. services.AddContentSecurityPolicyProvider<XWidgetsContentSecurityPolicyProvider>(); in a Startup class. You can also register providers for the whole app (i.e. all tenants) from the root Program class via OrchardCoreBuilder.ApplicationServices.