Stott Security

Stott Security is an Add-on for Optimizely CMS that allows a CMS Administrator to manage security headers that are used to protect the CMS website without requiring a code deployment. This Add-on is free to use and is covered by an MIT License. If you wish to support the ongoing development of this Add-on, then please feel free to buy me a coffee.

Key Features

User Friendly Interface: Manage individual domains and what permissions you grant them on a domain by domain basis.
Searchable: Search by domain or filter by permission to fully understand what permissions have been granted.
Reporting: Supporting internal and external reporting endpoints, understand violations either directly within the add-on or in a third party service.
Violation Handling: Add blocked domains straight into your CSP straight from the violation report screen
Agency Allow List: Automatically update your Content Security Policies across multiple instances based on a centrally managed allow list.
Supports Nonce: Supports nonce attributes on script and style tags. Automatically applied for traditional CMS pages, must be applied in UI code for Headless solutions.

User Friendly Interface: Manage individual directives in an easy-to-use interface.
Searchable: Search by domain or filter by permission to fully understand what permissions have been granted.

CORS Support: Manage the domains that are allows to make CORS requests into your website.
Native: Hooks into the Microsoft’s built in .NET CORS middleware to protect your CMS with minimal effort.
Optimizely Headers: Quickly add known Optimizely headers for the Content Delivery and Definition APIs at the click of a button.

User Friendly Interface: Manage all of your classic response headers in a nice easy to manage interface.
Specialized Security Headers:
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
- X-Content-Type-Options
- X-XSS-Protection
- X-Frame-Options
- Referrer-Policy
- Strict-Transport-Security (HSTS)
Custom Headers:
- Supports adding or removing of any configured header name.

Coming in version 4!

User Friendly Interface: Manage your security.txt files in an easy to interface that is familiar to users of Stott Robots Handler.
Multi-Domain / Host Support: Write a single security.txt file for your entire CMS, or create them by site or even specific host.

Previews: A preview screen that will show you your complete collection of compiled headers.
Headless Support: APIs can be consumed by your headless solution to serve headers using middleware in well known headless providers.
Import/Export: Export all your settings to back them up before making sweeping changes and import them to roll them back to a known state.
Fully Audited: All changes made within the add-on are audited complete with field value changes.
Audit Reporting: Review all changes made to settings by user, date or record type.
Validation: Client side and server side validation with visual feedback to prevent configuration errors

Articles

Getting Started with Stott Security for Optimizely CMS

Published: 30th April 2026

A step-by-step getting started guide to installing and configuring the Stott Security add-on for Optimizely CMS, covering NuGet install, service registration, host-level header variation, and your first Content Security Policy.

Optimizely Stott Security

Read Article

Stott Security Version 7

Published: 9th April 2026

Introducing Stott Security v7 which has been built on Optimizely CMS 13 and .NET 10 and updates all features to support and multi application and host configurations.