Click here to Skip to main content
15,301,624 members
Articles / Web Development / IIS
Posted 1 Jan 2018

Tagged as


10 bookmarked

Securing HTTP response header via IIS

Rate me:
Please Sign up or sign in to vote.
4.75/5 (5 votes)
1 Jan 2018CPOL2 min read
Options to play with response header


Managing HTTP response header properly increases the security of your web site, and make it hard to breach. Typically HTTP header contains name-value pair of strings which are sent back from server with the web page content. These headers are security policies to client browser which enable safer browsing with the policies imposed on header.

Content Security Policy (CSP)

CSP allows you to restrict the resource loading on a particular site. Applying proper header value decreases chance of injecting malicious code from different domains. Below are some of common name/value for CSP header,

Content-Security-Policy : default-src 'self'; (Allow everything but only from the same origin)
Content-Security-Policy : script-src 'self';  (Only Allow Scripts from the same origin)
Content-Security-Policy : script-src 'self'; (Allow Google Analytics, Google AJAX CDN and Same Origin)
Content-Security-Policy : default-src https: (Allow any assets to be loaded over https from any origin)

Further reference,

Let’s see how to add the name-value pair on IIS.

Image 1

Add the desired name value pair.

Image 2

X-Frame Options

X-Frame option can be used to indicate browser should be allowed /or not an iframe. Simply, attacker can use your site on a iframe host on their site. This can be prevented by XFO header.

X-Frame-Options: DENY (Site can be iframed)
X-Frame-Options: SAMEORIGIN (The page can only be displayed in a frame on the same origin as the page itself)
X-Frame-Options: ALLOW-FROM (The page can only be displayed in a frame on the

Further reference,


HTTP Strict-Transport-Security (HSTS) enforce browser to communicate only via https intead of http. Let’s say when you previously had a http bookmark which need to forced to use https.

Strict-Transport-Security: max-age=31536000; includeSubDomains (Policy will enforce TLS on your site for one year, including subdomains)


This Header is used to prevent XSS attacks which remove unsafe parts from cross site script injections.

X-XSS-Protection: 0; (Disable the protection)
X-XSS-Protection: 1;mode=block (Enable the protection)

Further reference


HPKP is security feature which can be configured on HTTP response and prevent from forged certificates. After creating Base64 key, it will look like below (keys are samples).

Public-Key-Pins : 'pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; \ pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="; \ pin-sha256="isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg="; \ max-age=10; includeSubdomains';

Note :

If wrongly defined your site will be inaccessible. Use less "max-age" for live tests. Make sure to include backup keys. Never use a single key.

Below article describes to generate the keys from installed certificate,

When renewing the certificate, extract a public key using Base64, remove a one key from the previous header and include the new one.


When someone clicks on a links and landed on target, target can determine where is origin. Referrer policy enables control this behavior. Find available options.

Referrer-Policy: no-referrer (No referrer information sent over with the request)
Referrer-Policy: no-referrer-when-downgrade (The browser will not send the referrer header when navigating from HTTPS to HTTP)
Referrer-Policy: origin (Only send the origin of the document as the referrer in all cases.)
Referrer-Policy: origin-when-cross-origin (Send a full URL when performing a same-origin request)
Referrer-Policy: same-origin (The browser will only set the referrer header on requests to the same origin. If the destination is another origin then no referrer information will be sent.)
Referrer-Policy: strict-origin (Similar to origin above but will not allow the secure origin to be sent on a HTTP request, only HTTPS.)
Referrer-Policy: strict-origin-when-cross-origin (The browser will send the full URL to requests to the same origin but only send the origin when requests are cross-origin.)
Referrer-Policy: unsafe-url (Browser will always send the full URL with any request to any origin.)


It prevent browser from sniffing mime type away from the server.

X-Content-Type-Options : nosniff

Once you have configured HTTP response, use a online scanner/security tester to test the site.

Below is a snapshot of a site scanned using

Image 3


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Chamila Nishantha
Software Developer
Sri Lanka Sri Lanka
No Biography provided

Comments and Discussions

-- There are no messages in this forum --