If you found your application missing with various security headers which can prevents various kinds of attacks. HTTP security headers provide yet another layer of security by helping to mitigate attacks and security vulnerabilities.
Click here to watch video on How to change HTTP security headers using IIS or web configuration file
Here we will provide information as how to include those header using IIS.
First visit https://securityheaders.io to check will header are missing.
Complete list is as follows.
- Open IIS Manager
- Select the Site you need to enable the header for
- Go to “HTTP Response Headers”
- Click “Add” under actions
- Enter name, value and click Ok
- X-Content-Type-Options Header
Name : X-Content-Type-Options
Value : nosniff
- X-Frame-Options Header
Name :X-Frame-Options
Value : DENY
- X-XSS-Protection Header
Name : X-XSS-Protection
Value : 1; mode=block
- Content-Security-Policy Header
Name : Content-Security-Policy
Value : default-src 'self'
Name : Content-Security-Policy
Value : script-src 'self'
default-src Load everything from defined source
script-src Load only scripts from defined source
- Referrer-Policy Header
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
Visit following link for more information https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
For Apache HTTP Server Nginx MaxCDN visit https://geekflare.com/http-header-implementation
Subscribe to our YouTube channel https://www.youtube.com/channel/UCvPHTC4FaixqMLyIV4fTfGA?sub_confirmation=1