I need to add custom headers in IIS for "Content-Security-Policy", "X-Content-Type-Options" and "X-XSS-Protection".
I get the procedure to add these headers but i am not sure what should be the value of these keys. https://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx
http://content-security-policy.com/
Please suggest. Thanks
From Ian Oxley's Sitepoint article - Improving Web Security with the Content Security Policy, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration file. The example given in the linked post,
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';" />
</customHeaders>
</httpProtocol>
</system.webServer>
demonstrates how to do this; in your config file, in the httpProtocol section, add an entry to the customHeaders collection containing the name (i.e. "Content-Security-Policy" and a value defining the CSP you wish to implement. In the example given, a very simple CSP is implemented, which only allows resources from the local site (self) to be loaded.
The second resource you linked lists the different options you can use in your customHeader, and examples of their valid values. The one thing to remember is that subsequent options must be ;-separated, and the string must end in a final ;.
An old question but since google drops you here...
I found a great "builder" for CSP options:
https://report-uri.io/home/tools/
Now this does appear to be a "link only answer" but in fact, the link is a fully built CSP editor, you click the boxes, select your websites you need in your CSP and the CSP string comes back configured for you (just copy and paste the result into your header for Content-Security-Policy). I couldn't HOPE to replicate the functionality in this answer hence the link.
Open Web Application Security Project (OWASP) has a couple of Content-Security-Policy examples and some useful links on their Content Security Policy Cheat Sheet under Preventing Clickjacking:
To prevent all framing of your content use:
Content-Security-Policy: frame-ancestors 'none'To allow for your site only, use:
Content-Security-Policy: frame-ancestors 'self'To allow for trusted domain (my-trusty-site.com), do the following:
Content-Security-Policy: frame-ancestors my-trusty-site.com
Mozilla Developers Network has full syntax and examples for both Content-Security-Policy and X-ContentTypeOptions:
X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/ X-Content-Type-Options: nosniff
Here is an X-XSS-Protection example:
X-XSS-Protection: 1; mode=block
On Server 2012 R2:
Content Security Policy settings can vary significantly from site to site based on whether scripts are local or you're using external CDNs, etc. So in order to try and find out the setting that best suits your app, you can use a Report Only version:
<add name="Content-Security-Policy-Report-Only" value="default-src 'self'" />
Per this blog entry:
By adding this header instead of
Content-Security-Policy, the browser will keep telling when something isn't allowed, but allow it anyway. This way you can keep an eye on the console, when running your website in production. When all error messages in the console are gone, you switch back to the original header.
<add name="Content-Security-Policy" value="default-src 'unsafe-inline' 'self'; script-src 'unsafe-inline' 'self'; script-src-elem 'unsafe-inline' 'self' https://jquery.com; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com; style-src-elem 'unsafe-inline' 'self' https://fonts.googleapis.com; font-src 'self' data: ;" />
You can do this using the IIS URL Rewrite module:
<outboundRules>
<rule name="Add CSP header">
<match serverVariable="RESPONSE_Content_Security_Policy" pattern=".*" />
<action type="Rewrite" value="default-src 'self'" />
</rule>
</outboundRules>
Using customHeaders in the web.config will not work for FastCGI on IIS.
Remember to add RESPONSE_Content_Security_Policy to the allowed server variables.
