Quickfix IIS Header Security
Quick version to improve client-side browser behaviour… (client-side best effort, so nothing is enforced…)
- remove asp info
- enforce https
- specify thumbprint of known expected certificates and intermediate, and root for website
- whitelist content security sources
- set x-frame, aka preventing your site can be used in an iframe
- enable xss protection
- disable content type niffing
Add the following to your website’s web.config
(yes, web.config needs that ‘"’ around the thumbprints…)
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Strict-Transport-Security" value="max-age=31536000" />
<add name="Public-Key-Pins" value="pin-sha256="thumbprintofcertificate1"; pin-sha256="thumbprintofcertificate2-intermediate"; pin-sha256="thumbprintofcertificate3-rootcert"; max-age=31536000" />
<add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" />
<add name="X-Frame-Options" value="DENY" />
<add name="X-Xss-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
Long version: https://scotthelme.co.uk/hardening-your-http-response-headers/
Check via https://securityheaders.io/?q=https%3A%2F%2Fhome.mendelonline.be&hide=on