Power Pages security FAQ

How does Power Pages help to protect against clickjacking?

Clickjacking uses embedded iFrames or other components to hijack a user's interactions with a webpage.
Power Pages provides HTTP/X-Frame-Options site settings with default SAMEORIGIN to protect against clickjacking attacks.

More information: Set up HTTP headers in Power Pages

Does Power Pages support Content Security Policy?

Power Pages supports Content Security Policy (CSP). Extensive testing is recommended after enabling CSP on Power Pages websites.

More information: Manage your site's Content Security Policy

Does Power Pages support HTTP Strict Transport Security Policy?

By default, Power Pages supports HTTP to HTTPS redirects. If flagged, verify whether the request is getting blocked at App Service Level. If it's not a successful request (response code >= 400), it’s a false positive.

Why are cookies without HTTPOnly/SameSite flags detected/reported by pen test tools?

Power Pages sets HTTPOnly/SameSite flags for every critical cookie. There are some noncritical cookies for which HTTPOnly/SameSite isn't set, and these shouldn't be considered a vulnerability.

More information: Cookies in Power Pages

My Pen test report is flagging End of Life/Obsolete Software – Bootstrap 3. What should I do about it?

There are no known vulnerabilities on Bootstrap 3; however, you can migrate your site to Bootstrap 5.

What ciphers does Power Pages support? What's the roadmap of continuously moving toward stronger ciphers?

All Microsoft services and products are configured to use the approved cipher suites, in the exact order directed by the Microsoft Crypto Board.

For the full list and exact order, see the Power Platform documentation.

Information about deprecations of cipher suites is communicated through Power Platform's Important Changes documentation.

Why does Power Pages still support RSA-CBC ciphers (TLS_ECDHE_RSA_with AES_128_CBC_SHA256 (0xC027) and TLS_ECDHE_RSA_with_AES_256_CBC_SHA384 (0xC028)), which are considered weaker?

Microsoft weighs the relative risk and disruption to customer operations in choosing cipher suites to support. The RSA-CBC cipher suites haven't been broken yet. We've enabled them to ensure consistency across our services and products, and to support all customer configurations; however, they're at the bottom of the priority list.

We deprecate ciphers based on the Microsoft Crypto Board's continuous assessment.

More information: Which TLS 1.2 cipher suites are supported by Power Pages?

How does Power Pages protect against Distributed Denial of Service (DDoS) attacks?

Power Pages is built on Microsoft Azure and uses Azure DDoS Protection to guard against DDoS attacks. Also, enabling OOB/third-party AFD/WAF can add more protection on the site.

More information:

• Configure Web Application Firewall (WAF)
• Configure a site with Content Delivery Network

My Pen test report is flagging vulnerability in CKEditor. How do I mitigate this vulnerability?

RTE PCF control replaces CKEditor soon. If you want to mitigate this issue prior to RTE PCF control's release, disable CKEditor by configuring site setting DisableCkEditorBundle = true. A text field replaces CKEditor once it's disabled.

How do I protect my website against XSS attacks?

We recommend performing HTML encoding before rendering data from an untrusted source.

More information: Available encoding filters.

How do I protect my site from injection attacks?

By default, the ASP.Net request validation feature is enabled on Power Pages forms to prevent script-injection attacks. If you are creating your own form using the API, Power Pages incorporates several measures to prevent injection attacks.

• Ensure proper HTML sanitization when handling user input from a form or any data control that utilizes Web API.
• Implement input and output sanitization for all input and output data before rendering them on the page. This includes data fetched via liquid/WebAPI or inserted/updated into Dataverse through these channels.
• If special checks are needed before inserting or updating form data, you can write plugins that execute to validate data on the server side.

More information: Power Pages security white paper.

Clickjacking uses embedded iFrames or other components to hijack a user's interactions with a webpage.
Power Pages provides HTTP/X-Frame-Options site settings with default SAMEORIGIN to protect against clickjacking attacks.

More information: Set up HTTP headers in Power Pages

Power Pages supports Content Security Policy (CSP). Extensive testing is recommended after enabling CSP on Power Pages websites.

More information: Manage your site's Content Security Policy

By default, Power Pages supports HTTP to HTTPS redirects. If flagged, verify whether the request is getting blocked at App Service Level. If it's not a successful request (response code >= 400), it’s a false positive.

Power Pages sets HTTPOnly/SameSite flags for every critical cookie. There are some noncritical cookies for which HTTPOnly/SameSite isn't set, and these shouldn't be considered a vulnerability.

More information: Cookies in Power Pages

There are no known vulnerabilities on Bootstrap 3; however, you can migrate your site to Bootstrap 5.

All Microsoft services and products are configured to use the approved cipher suites, in the exact order directed by the Microsoft Crypto Board.

For the full list and exact order, see the Power Platform documentation.

Information about deprecations of cipher suites is communicated through Power Platform's Important Changes documentation.

Microsoft weighs the relative risk and disruption to customer operations in choosing cipher suites to support. The RSA-CBC cipher suites haven't been broken yet. We've enabled them to ensure consistency across our services and products, and to support all customer configurations; however, they're at the bottom of the priority list.

We deprecate ciphers based on the Microsoft Crypto Board's continuous assessment.

More information: Which TLS 1.2 cipher suites are supported by Power Pages?

Power Pages is built on Microsoft Azure and uses Azure DDoS Protection to guard against DDoS attacks. Also, enabling OOB/third-party AFD/WAF can add more protection on the site.

More information:

• Configure Web Application Firewall (WAF)
• Configure a site with Content Delivery Network

RTE PCF control replaces CKEditor soon. If you want to mitigate this issue prior to RTE PCF control's release, disable CKEditor by configuring site setting DisableCkEditorBundle = true. A text field replaces CKEditor once it's disabled.

We recommend performing HTML encoding before rendering data from an untrusted source.

More information: Available encoding filters.

By default, the ASP.Net request validation feature is enabled on Power Pages forms to prevent script-injection attacks. If you are creating your own form using the API, Power Pages incorporates several measures to prevent injection attacks.

• Ensure proper HTML sanitization when handling user input from a form or any data control that utilizes Web API.
• Implement input and output sanitization for all input and output data before rendering them on the page. This includes data fetched via liquid/WebAPI or inserted/updated into Dataverse through these channels.
• If special checks are needed before inserting or updating form data, you can write plugins that execute to validate data on the server side.

More information: Power Pages security white paper.