Quickfix IIS Header Security

Quick version to improve client-side browser behaviour… (client-side best effort, so nothing is enforced…)

  • remove asp info
  • enforce https
  • specify thumbprint of known expected certificates and intermediate, and root for website
  • whitelist content security sources
  • set x-frame, aka preventing your site can be used in an iframe
  • enable xss protection
  • disable content type niffing

Add the following to your website’s web.config
(yes, web.config needs that ‘"’ around the thumbprints…)


 <httpProtocol>
  <customHeaders>
   <remove name="X-Powered-By" />
   <add name="Strict-Transport-Security" value="max-age=31536000" />
   <add name="Public-Key-Pins" value="pin-sha256=&quot;thumbprintofcertificate1&quot;; pin-sha256=&quot;thumbprintofcertificate2-intermediate&quot;; pin-sha256=&quot;thumbprintofcertificate3-rootcert&quot;; max-age=31536000" />
   <add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" />
   <add name="X-Frame-Options" value="DENY" />
   <add name="X-Xss-Protection" value="1; mode=block" />
   <add name="X-Content-Type-Options" value="nosniff" />
   </customHeaders>
  </httpProtocol>
 

Long version: https://scotthelme.co.uk/hardening-your-http-response-headers/

Check via https://securityheaders.io/?q=https%3A%2F%2Fhome.mendelonline.be&hide=on

 

 

Advertenties

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit / Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit / Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit / Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit / Bijwerken )

Verbinden met %s

%d bloggers liken dit: