Configure the IIS Server to Use the Content-Security-Policy Header

Question

Configure the IIS Server to Use the Content-Security-Policy Header

I need to add custom headers in IIS for "Content-Security-Policy", "X-Content-Type-Options" and "X-XSS-Protection".

I get the procedure for adding these headers, but I'm not sure what should be the value of these keys. https://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx

http://content-security-policy.com/

Please offer. Thanks

+5

security iis xss

Gerry Jun 23 '16 at 12:53

source share

4 answers

F. Stephen Q · Answer 1 · 2016-06-23T16:08:15+0000

From this post , it looks like you are defining your content security policy (and, in turn, filling out these headers) directly in your IIS configuration file. An example in a related post

<system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="default-src 'self';" /> </customHeaders> </httpProtocol> </system.webServer>

demonstrates how to do this; in your configuration file, in the httpProtocol section httpProtocol add an entry to the customHeaders collection containing a name (ie, "Content-Security-Policy" ) and a value that defines the CSP that you want to implement. In the above example, a very simple CSP that allows you to download resources from a local site ( self ).

The second resource you associate lists the various parameters that you can use in your customHeader , and examples of their valid values. It should be remembered that the following parameters should be ; -separated, and the line should end with the final ; .

Johnc · Answer 2 · 2016-10-25T19:42:39+0000

The Open Web Application Security (OWASP) project has several examples of security policies for content and some useful links to their Content Security Policy Protection Sheet under Clickjacking Prevention :

To prevent the full cropping of your content:
 Content-Security-Policy: frame-ancestors 'none' 
To allow only your site, use:
 Content-Security-Policy: frame-ancestors 'self' 
To enable a trusted domain (my-trusty-site.com), follow these steps:
 Content-Security-Policy: frame-ancestors my-trusty-site.com 

The Mozilla Developers Network has full syntax and examples for Content-Security-Policy and X-ContentTypeOptions :

 X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/ X-Content-Type-Options: nosniff

Here is an example of X-XSS protection :

 X-XSS-Protection: 1; mode=block

AngryCarrotTop · Answer 3 · 2016-11-17T15:56:36+0000

An old question, but since Google throws you here ...

I found a great builder for CSP options:

https://report-uri.io/home/tools/

Now this sounds like a "link-only answer", but in fact the link is a fully integrated CSP editor, you click on the mailboxes, select your websites that you need in the CSP, and the CSP line returns is configured for you (just copy and paste the result in your heading for Content-Security-Policy). I could not HOPE to reproduce the functionality in this answer, hence the link.

Masud khan · Answer 4 · 2017-06-30T03:24:49+0000

On the 2012 R2 server. Open IIS Manager. Click IIS Home. DoubleClick in HTTP response headers. Click "Add" in the "Actions" section on the right. Add a name and Vlaues.

Configure the IIS Server to Use the Content-Security-Policy Header

More articles: