The Web Plant Blog

Securing Your Site: Setting Security Headers when migrating to HubSpot CMS

Written by Vikram Singh | Feb 19, 2024 11:30:00 AM

Discover the significance of implementing proper security headers in your domain settings and learn how to do it effectively in HubSpot.

Understanding the Role of HTTP Security Headers

HTTP security headers play a crucial role in protecting your website from various security threats. These headers are additional lines of code that are included in the HTTP response from the server to the browser. They provide instructions to the browser on how to handle and protect the content of your website.

By implementing proper HTTP security headers, you can enhance the security of your website and protect it against common attacks such as cross-site scripting (XSS), clickjacking, and data sniffing. These headers help in preventing unauthorized access, ensuring data integrity, and maintaining user privacy.

When migrating to HubSpot CMS, it is important to understand the role of HTTP security headers and how to configure them correctly to ensure the security of your site.

Implementing HTTP security headers can enhance the trustworthiness of your website. When visitors see that your site has proper security measures in place, they are more likely to trust your brand and feel confident interacting with your content.

Common Types of HTTP Security Headers

There are several common types of HTTP security headers that you should consider implementing in HubSpot. These include:

  • Content Security Policy (CSP): CSP helps in preventing the execution of malicious scripts by allowing the browser to only load content from trusted sources. A good to way to check your CSP by using the tool provided by Google at https://csp-evaluator.withgoogle.com/

    A CSP will involve a typical code like this below which can include all your trusted sources and paste it in security settings:

    img-src *.mytrustedsourcesite.com data: *.hs-sites.com https://api-na1.hubapi.com *.ytimg.com 'self' *.linkedin.com https://static.hsappstatic.net https://*.google-analytics.com https://*.googletagmanager.com js.hscta.net *.hubspot.com *.hubspotusercontent-na1.net *.hubspotusercontent20.net *.hubspot.net cdn2.hubspot.net *.hsforms.net *.hsforms.com;

    connect-src 'self' https://cdn.linkedin.oribi.io *.doubleclick.net snap.licdn.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com *.hubapi.com js.hscta.net *.hubspot.com *.hs-banner.com *.hscollectedforms.net *.hsforms.com;

    frame-src 'self' *.hubspot.com *.hs-sites.com *.hubspot.net play.hubspotvideo.com  *.hsforms.net *.hsforms.com youtube.com www.youtube.com;

    style-src 'unsafe-inline' 'self' *.hubspot.com https://static.hsappstatic.net/  https://cdn.jsdelivr.net/ https://code.jquery.com/ https://cdnjs.cloudflare.com https://use.fontawesome.com/ *.hubspotusercontent20.net cdn2.hubspot.net  fonts.googleapis.com;

    font-src 'self' *.hubspot.com *.hubspotusercontent-na1.net fonts.gstatic.com cdn2.hubspot.net https://cdnjs.cloudflare.com  *.hubspotusercontent20.net;

    script-src 'self' 'strict-dynamic' https://cdn.jsdelivr.net/ https://code.jquery.com/ https://cdnjs.cloudflare.com https://use.fontawesome.com/ snap.licdn.com *.hsadspixel.net *.hs-analytics.net js.hscta.net *.hubspot.com static.hsappstatic.net *.usemessages.com *.hs-banner.com *.hubspotusercontent-na1.net *.hubspotusercontent20.net *.hubspot.net  *.hscollectedforms.net *.hsleadflows.net *.hsforms.net *.hsforms.com *.hs-scripts.com *.hubspotfeedback.com feedback.hubapi.com https://*.googletagmanager.com www.google-analytics.com 'nonce-in/IvwNA6jg0qWUA+NwHFw==';

    object-src 'none';

    base-uri 'none';

    upgrade-insecure-requests;


  • X-XSS-Protection: This header enables the built-in cross-site scripting (XSS) protection of modern browsers.
  • X-Frame-Options: X-Frame-Options header prevents clickjacking attacks by specifying whether your website can be displayed within an iframe.
  • Strict-Transport-Security (HSTS): HSTS header forces the browser to only access your website over HTTPS, ensuring a secure connection.
  • X-Content-Type-Options: This header prevents the browser from MIME-sniffing the response and strictly adheres to the declared content type.

By implementing these headers, you can significantly enhance the security posture of your HubSpot CMS.

How to Configure HTTP Security Headers in HubSpot

Configuring HTTP security headers in HubSpot is a straightforward process. Here are the steps to follow:

  1. Log in to your HubSpot account and navigate to your website settings.
  2. Go to the 'Domains & URLs' section and select the domain you want to configure.
  3. Scroll down to the 'Security' section and click on 'Edit' next to 'HTTP Security Headers'.
  4. Enable the headers you want to implement by toggling the respective switches.
  5. Customize the headers according to your specific requirements. HubSpot provides options to set values for each header.
  6. Save your changes and publish your website to apply the updated security headers.

It is recommended to test your website thoroughly after configuring the security headers to ensure they are implemented correctly and do not cause any compatibility issues.

Best Practices for Maintaining Robust Security Headers

To maintain robust security headers in HubSpot, it is important to follow these best practices:

  • Regularly review and update your security headers to stay protected against emerging threats. Stay informed about any changes or updates to recommended security header configurations.
  • Test your website after any updates or changes to the security headers to ensure they are functioning as intended and not causing any unintended issues.
  • Stay up to date with the latest security practices and industry standards to ensure you are implementing the most effective security headers.
  • Monitor your website for any security vulnerabilities or suspicious activities. Implement additional security measures, such as web application firewalls, to further enhance your website's security.

By following these best practices, you can maintain a strong security posture and protect your HubSpot CMS from potential security breaches.

When we perform a HubSpot CMS Migration, we make sure to have correct security settings before your site goes live.
View full post