Stott Security

Content relating to the Stott Security Add-On for Optimizely CMS 12 and 13, the leading security header manager.

A screen capture of the Stott Security interface.
Stott Security
For Optimizely CMS
96,500+
Downloads on nuget.org
46,500+
Downloads on nuget.optimizely.com
7.0.1
Current Version

Stott Security is an Add-on for Optimizely CMS that allows a CMS Administrator to manage security headers that are used to protect the CMS website without requiring a code deployment. This Add-on is free to use and is covered by an MIT License. If you wish to support the ongoing development of this Add-on, then please feel free to buy me a coffee.

Key Features

  • Multiple Contexts: Configure headers globally, by application (site in CMS 12) and by individual host, using the built-in context switcher.
  • Layered Content Security Policy: CSP sources merge across four levels โ€” Global, Application, Host and Page โ€” so you can enforce strong defaults while refining policies for specific journeys.
  • Override Model: Permissions Policy and Response Headers use an override approach where more specific levels replace broader ones.
  • Separate Front-End & CMS Policies: Apply tight, nonce-based policies to your delivery hosts while granting the CMS editor host the permissions it needs.

  • User Friendly Interface: Manage individual domains and what permissions you grant them on a domain by domain basis.
  • Searchable: Search by domain or filter by permission to fully understand what permissions have been granted.
  • Reporting: Supporting internal and external reporting endpoints, understand violations either directly within the add-on or in a third party service.
  • Violation Handling: Add blocked domains straight into your CSP straight from the violation report screen
  • Agency Allow List: Automatically update your Content Security Policies across multiple instances based on a centrally managed allow list.
  • Supports Nonce: Supports nonce attributes on script and style tags. Automatically applied for traditional CMS pages, must be applied in UI code for Headless solutions.
  • Layered by Scope: Define sources globally and refine them by application, host and page, merged into a single policy for the page being served.

  • User Friendly Interface: Manage individual directives in an easy-to-use interface.
  • Searchable: Search by domain or filter by permission to fully understand what permissions have been granted.
  • Scoped Configuration: Configure globally and override at application or host level.

  • CORS Support: Manage the domains that are allows to make CORS requests into your website.
  • Native: Hooks into the Microsoftโ€™s built in .NET CORS middleware to protect your CMS with minimal effort.
  • Optimizely Headers: Quickly add known Optimizely headers for the Content Delivery and Definition APIs at the click of a button.

  • User Friendly Interface: Manage all of your classic response headers in a nice easy to manage interface.
  • Scoped Configuration: Configure globally and override at application or host level.
  • Specialized Security Headers:
    • Cross-Origin-Embedder-Policy
    • Cross-Origin-Opener-Policy
    • Cross-Origin-Resource-Policy
    • X-Content-Type-Options
    • X-XSS-Protection
    • X-Frame-Options
    • Referrer-Policy
    • Strict-Transport-Security (HSTS)
  • Custom Headers:
    • Supports adding or removing of any configured header name.

  • User Friendly Interface: Manage your security.txt files in an easy to interface that is familiar to users of Stott Robots Handler.
  • Multi-Domain / Host Support: Write a single security.txt file for your entire CMS, or create them by application (site in CMS 12) or even specific host.

  • Previews: A preview screen that will show you your complete collection of compiled headers.
  • Headless Support: APIs can be consumed by your headless solution to serve headers using middleware in well known headless providers.
  • Import/Export: Export all your settings to back them up before making sweeping changes and import them to roll them back to a known state.
  • Fully Audited: All changes made within the add-on are audited complete with field value changes.
  • Audit Reporting: Review all changes made to settings by user, date or record type.
  • Validation: Client side and server side validation with visual feedback to prevent configuration errors

Articles

Stott Security Version 6

Published: 17th May 2026

Stott Security v6 brings the multiple site and host configuration features from v7 to Optimizely CMS 12, adapting them to the CMS 12 Site-based architecture.

Development Optimizely Stott Security

Getting Started with Stott Security for Optimizely CMS

Published: 30th April 2026

A step-by-step getting started guide to installing and configuring the Stott Security add-on for Optimizely CMS, covering NuGet install, service registration, host-level header variation, and your first Content Security Policy.

Optimizely Stott Security

Stott Security Version 7

Published: 9th April 2026

Introducing Stott Security v7 which has been built on Optimizely CMS 13 and .NET 10 and updates all features to support and multi application and host configurations.

Development Optimizely Stott Security

Stott Security Version 5

Published: 5th March 2026

A summary of all new and updated functionality changes that have been introduced in version 5 of the Stott Security add-on for Optimizely CMS 12.

Development Optimizely Stott Security

Stott Security Version 4

Published: 16th January 2026

A summary of all new and updated functionality changes that have been introduced in version 4 of the Stott Security add-on for Optimizely CMS 12.

Development Optimizely Stott Security

Optimizing Content Security Policies to Stay Within HTTP Header Limits

Published: 1st August 2025

Discover how to audit, reduce, and optimize Content Security Policies. Helping you stay within browser and CDN header size limits.

Development Optimizely Stott Security

Stott Security Version 3

Published: 8th April 2025

A summary of all new functionality and changes that have been introduced to the Stott Security v3 add-on for CMS 12.

Development Optimizely Stott Security

Stott Security Version 2

Published: 17th May 2024

A summary of all new functionality and changes that have been introduced to the Stott Security v2 add-on for CMS 12.

Development Optimizely Stott Security

Adding CORS Management to Optimizely CMS 12

Published: 8th October 2023

Adding Cross-origin Resource Sharing response headers to the Stott Security Add-on for Optimizely CMS 12.

Development Optimizely Stott Security