SharePoint - If "Clear-Site_Data" security header is applicable to SharePoint application?

Ching Song Lim 41 Reputation points
2023-07-07T07:12:56.8433333+00:00

Environment : SharePoint On-Premise 2019

Background : Security Vulnerability required "Clear-Site-Data" security header to be added.

Description

  1. The SharePoint web application is using NTLM windows authentication and there is no custom logout/ sign out feature on the application.
  2. Understand above mentioned security header is to clear user session and cookies data after logout from the application.

Question

  1. Since the "Sign Out" on the user account is only redirecting to "/signout.aspx" page and the session and cookies are not really being cleared, so would like to check if the security header is really applicable to SharePoint application?
  2. Note* there is no plan to implement any workaround (like changing the authentication method or develop new custom logout function) and everything will be keeping the same as OOTB.
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
11,230 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Yanli Jiang - MSFT 29,126 Reputation points Microsoft Vendor
    2023-07-10T09:11:39.96+00:00

    Hi @Ching Song Lim ,

    Welcome to Q&A forum!

    You can add the "Clear-Site-Data" security header to a SharePoint 2019 site:

    1. Open Internet Information Services (IIS) Manager on the SharePoint server.
    2. Select the website that you want to add the header to.
    3. Click on the "HTTP Response Headers" feature.
    4. Click on "Add" in the right-hand pane to add a new header.
    5. In the "Name" field, enter "Clear-Site-Data".
    6. In the "Value" field, enter the types of data that you want to clear. For example, you can enter "cookies, cache, storage" to clear cookies, cache, and local storage data.
    7. Click "OK" to save the new header.

    Once you have added the "Clear-Site-Data" header, web browsers will be instructed to clear the specified types of data when a user navigates away from the SharePoint site.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.