Click here to Skip to main content
14,766,830 members
Articles » Web Development » ASP.NET » General
Article
Posted 1 Jan 2018

Tagged as

Stats

19.9K views
10 bookmarked

Securing HTTP response header via IIS

Rate me:
Please Sign up or sign in to vote.
4.75/5 (5 votes)
1 Jan 2018CPOL
Options to play with response header

Introduction

Managing HTTP response header properly increases the security of your web site, and make it hard to breach. Typically HTTP header contains name-value pair of strings which are sent back from server with the web page content. These headers are security policies to client browser which enable safer browsing with the policies imposed on header.

Content Security Policy (CSP)

CSP allows you to restrict the resource loading on a particular site. Applying proper header value decreases chance of injecting malicious code from different domains. Below are some of common name/value for CSP header,

Content-Security-Policy : default-src 'self'; (Allow everything but only from the same origin)
Content-Security-Policy : script-src 'self';  (Only Allow Scripts from the same origin)
Content-Security-Policy : script-src 'self' www.google-analytics.com ajax.googleapis.com; (Allow Google Analytics, Google AJAX CDN and Same Origin)
Content-Security-Policy : default-src https: (Allow any assets to be loaded over https from any origin)

Further reference,

Let’s see how to add the name-value pair on IIS.

Image 1

Add the desired name value pair.

Image 2

X-Frame Options

X-Frame option can be used to indicate browser should be allowed /or not an iframe. Simply, attacker can use your site on a iframe host on their site. This can be prevented by XFO header.

X-Frame-Options: DENY (Site can be iframed)
X-Frame-Options: SAMEORIGIN (The page can only be displayed in a frame on the same origin as the page itself)
X-Frame-Options: ALLOW-FROM https://example.com/ (The page can only be displayed in a frame on the example.com)

Further reference,

Strict-Transport-Security

HTTP Strict-Transport-Security (HSTS) enforce browser to communicate only via https intead of http. Let’s say when you previously had a http bookmark which need to forced to use https.

Strict-Transport-Security: max-age=31536000; includeSubDomains (Policy will enforce TLS on your site for one year, including subdomains)

X-XSS-Protection

This Header is used to prevent XSS attacks which remove unsafe parts from cross site script injections.

X-XSS-Protection: 0; (Disable the protection)
X-XSS-Protection: 1;mode=block (Enable the protection)

Further reference

Public-Key-Pins

HPKP is security feature which can be configured on HTTP response and prevent from forged certificates. After creating Base64 key, it will look like below (keys are samples).

Public-Key-Pins : 'pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; \ pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="; \ pin-sha256="isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg="; \ max-age=10; includeSubdomains';

Note :

If wrongly defined your site will be inaccessible. Use less "max-age" for live tests. Make sure to include backup keys. Never use a single key.

Below article describes to generate the keys from installed certificate,

When renewing the certificate, extract a public key using Base64, remove a one key from the previous header and include the new one.

Referrer-Policy

When someone clicks on a links and landed on target, target can determine where is origin. Referrer policy enables control this behavior. Find available options.

Referrer-Policy: no-referrer (No referrer information sent over with the request)
Referrer-Policy: no-referrer-when-downgrade (The browser will not send the referrer header when navigating from HTTPS to HTTP)
Referrer-Policy: origin (Only send the origin of the document as the referrer in all cases.)
Referrer-Policy: origin-when-cross-origin (Send a full URL when performing a same-origin request)
Referrer-Policy: same-origin (The browser will only set the referrer header on requests to the same origin. If the destination is another origin then no referrer information will be sent.)
Referrer-Policy: strict-origin (Similar to origin above but will not allow the secure origin to be sent on a HTTP request, only HTTPS.)
Referrer-Policy: strict-origin-when-cross-origin (The browser will send the full URL to requests to the same origin but only send the origin when requests are cross-origin.)
Referrer-Policy: unsafe-url (Browser will always send the full URL with any request to any origin.)

X-Content-Type-Options

It prevent browser from sniffing mime type away from the server.

X-Content-Type-Options : nosniff

Once you have configured HTTP response, use a online scanner/security tester to test the site.

Below is a snapshot of a site scanned using https://securityheaders.io

Image 3

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Chamila Nishantha
Software Developer
Sri Lanka Sri Lanka
No Biography provided

Comments and Discussions

 
-- There are no messages in this forum --