Overview
Customers with the 3rd party add-on Stott Security might experience sites that loaded indefinitely without error messages if leveraging version 2.70. Investigation revealed that the Stott.Security.Optimizely plugin was at the root of the problem. The issue was primarily due to:
-
An oversized Content Security Policy (CSP) header (exceeding limits set by browsers, CDNs, and web servers).
-
Outdated dependency versions and inefficient cookie handling.
-
A related spike in database connections due to less efficient caching in earlier plugin versions.
Current Resolution
-
Temporary Workaround
Disable the plugin in your CMS to restore normal loading. -
Immediate Upgrade
-
Install v3.0.1 (on NuGet): splits any CSP above 8 KB into grouped headers (make sure the sum of the length of all CSP header not greater than 16kb), preventing rejection.
-
Versions 2.8+ already fix the DB‑connection spike.
-
-
Next Release at time of article being written (v3.0.2)
-
Will auto‑simplify any CSP ≥ 16 KB—dropping excess directives so no policy ever exceeds limits.
-
Steps Trim Your CSP
-
Collapse related directives (e.g.
script‑srconly, not element/attr variants). -
Lock defaults to
'self'fordefault-src,base-uri,frame-ancestors. -
Merge overlapping domains (
https://*.one.example.com→https://*.example.com). -
Remove duplicate trailing‑slash entries.
-
For heavy iframe use, consider
frame-src 'self' https:only.
CDN Reminder
After updating, purge your CDN cache (e.g. Cloudflare) so new headers take effect.
Please sign in to leave a comment.