Managing HTTP response header properly increases the security of your web site, and make it hard to breach. Typically HTTP header contains name-value pair of strings which are sent back from server with the web page content. These headers are security policies to client browser which enable safer browsing with the policies imposed on header.
Content Security Policy (CSP)
CSP allows you to restrict the resource loading on a particular site. Applying proper header value decreases chance of injecting malicious code from different domains. Below are some of common name/value for CSP header,
Content-Security-Policy : default-src 'self'; (Allow everything but only from the same origin)
Content-Security-Policy : script-src 'self'; (Only Allow Scripts from the same origin)
Content-Security-Policy : script-src 'self' www.google-analytics.com ajax.googleapis.com; (Allow Google Analytics, Google AJAX CDN and Same Origin)
Content-Security-Policy : default-src https: (Allow any assets to be loaded over https from any origin)
Let’s see how to add the name-value pair on IIS.
Add the desired name value pair.
X-Frame option can be used to indicate browser should be allowed /or not an iframe. Simply, attacker can use your site on a iframe host on their site. This can be prevented by XFO header.
X-Frame-Options: DENY (Site can be iframed)
X-Frame-Options: SAMEORIGIN (The page can only be displayed in a frame on the same origin as the page itself)
X-Frame-Options: ALLOW-FROM https:
HTTP Strict-Transport-Security (HSTS) enforce browser to communicate only via https intead of http. Let’s say when you previously had a http bookmark which need to forced to use https.
Strict-Transport-Security: max-age=31536000; includeSubDomains (Policy will enforce TLS on your site for one year, including subdomains)
This Header is used to prevent XSS attacks which remove unsafe parts from cross site script injections.
X-XSS-Protection: 0; (Disable the protection)
X-XSS-Protection: 1;mode=block (Enable the protection)
HPKP is security feature which can be configured on HTTP response and prevent from forged certificates. After creating Base64 key, it will look like below (keys are samples).
Public-Key-Pins : 'pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; \ pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="; \ pin-sha256="isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg="; \ max-age=10; includeSubdomains';
If wrongly defined your site will be inaccessible. Use less "max-age" for live tests. Make sure to include backup keys. Never use a single key.
Below article describes to generate the keys from installed certificate,
When renewing the certificate, extract a public key using Base64, remove a one key from the previous header and include the new one.
When someone clicks on a links and landed on target, target can determine where is origin. Referrer policy enables control this behavior. Find available options.
Referrer-Policy: no-referrer (No referrer information sent over with the request)
Referrer-Policy: no-referrer-when-downgrade (The browser will not send the referrer header when navigating from HTTPS to HTTP)
Referrer-Policy: origin (Only send the origin of the document as the referrer in all cases.)
Referrer-Policy: origin-when-cross-origin (Send a full URL when performing a same-origin request)
Referrer-Policy: same-origin (The browser will only set the referrer header on requests to the same origin. If the destination is another origin then no referrer information will be sent.)
Referrer-Policy: strict-origin (Similar to origin above but will not allow the secure origin to be sent on a HTTP request, only HTTPS.)
Referrer-Policy: strict-origin-when-cross-origin (The browser will send the full URL to requests to the same origin but only send the origin when requests are cross-origin.)
Referrer-Policy: unsafe-url (Browser will always send the full URL with any request to any origin.)
It prevent browser from sniffing mime type away from the server.
X-Content-Type-Options : nosniff
Once you have configured HTTP response, use a online scanner/security tester to test the site.
Below is a snapshot of a site scanned using https://securityheaders.io