Security Headers

How to Implement Security Headers on IIS and Prevent Vulnerabilities.

In this article I will talk about HTTP Header types and walk you through the steps to secure website and IIS server from Clickjacking, code injection, MIME types, XSS, etc

Although you can apply some of this setting at the Code Level, however some prefer to set headers at the Server Level which I will cover in this post.

Content Security Policy – CSP

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring, which dynamic resources are allowed to load.

Any server side programming environment should allow you to send back a custom HTTP response header. You can also use your web server to send back the header

CSP have a multiple parameters, for details info refer to OWASP site, the following are the two most used parameters.

Parameter                Meaning

default-src                  Load everything from a defined source

script-src                     Load only scripts from defined source

You can use the HTTP Response Headers GUI in IIS Manager or add the following to your web.config:

 

Open IIS Manager and on the left hand tree, left click the site you would like to manage.

1. Open IIS Manager and on the left hand tree, left click the site you would like to manage.
2. Double click the “HTTP Response Headers” icon.
3. Right click the header list and select “Add”
4. For the “name” write “Content-Security-Policy” and for the value “default-src ‘self’”

 

  

Or add it to your web.config.

<configuration>

   <system.webServer>

      <httpProtocol>

         <customHeaders>

            <add name=” Content-Security-Policy” value=” default-src ‘self'” />

         </customHeaders>

      </httpProtocol>

   </system.webServer>

</configuration>

 

Note: It is known that having both Content-Security-Policy and X-Content-Security-Policy or X-Webkit-CSP causes unexpected behaviours on certain versions of browsers. Please avoid using deprecated X-* headers.

X-Permitted-Cross-Domain-Policies

This header will allows to control and handle the requests over a cross domain. example you can restrict loading your site’s assets from other domain. (avoid resource abuse)

Value                                     Description

none                            no policy is allowed

master-only                allow only the master policy

all                                everything is allowed

by-content-only         Allow only a certain type of content. Example – XML

by-ftp-only                 applicable only for an FTP server

X-XSS-Protection

X-XSS-Protection header improve the security of your site against some types of XSS (cross-site scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android.

The parameter for this header have four values.

Parameter              Meaning

0                                  XSS filter disabled

1                                  XSS filter enabled and sanitized the page if attack detected

1;mode=block           XSS filter enabled and prevented rendering the page if attack                                              detected

1;report=http://         XSS filter enabled and reported the violation if attack detected

example.com/report_URI

 

In this example I’ll use 1;mode=block

 

Setting X-XSS-Protection in IIS

You can use the HTTP Response Headers GUI in IIS Manager or add the following to your web.config:

Open IIS Manager and on the left hand tree, left click the site you would like to manage.

1. Open IIS Manager and on the left hand tree, left click the site you would like to manage.
2. Double click the “HTTP Response Headers” icon.
3. Right click the header list and select “Add”
4. For the “name” write “X-XSS-Protection” and for the value “1;mode=block”

Note: Google, Facebook, Github use this header, and most of the penetration testing consultancy will ask you to implement this.

X-Frame-Options

X-Frame-Options header is use to prevent Clickjacking vulnerability on your website. By setting  this header will prevents an attacker from iframing the content of your site into others.

The parameter for this header have three values.

Parameter                Meaning

SAMEORIGIN                      Frame/iframe of content is only allowed from the same site origin.

DENY                         Prevent any domain to embed your content using frame/iframe.

ALLOW-FROM         Allow framing the content only on particular URI.

 

In this example I’ll use “sameorigin”

Setting X-Frame-Options in IIS

You can do this in Web.config but IIS Manager is just as easy.

1. Open IIS Manager and on the left hand tree, left click the site you would like to manage.
2. Double click the “HTTP Response Headers” icon.
3. Right click the header list and select “Add”
4. For the “name” write “X-Frame-Options” and for the value “sameorigin”

 

Or add it to your web.config.

<configuration>

   <system.webServer>

      <httpProtocol>

         <customHeaders>

            <add name=”X-Frame-Options” value=”sameorigin” />

         </customHeaders>

      </httpProtocol>

   </system.webServer>

</configuration>

Note:

You can add frame-ancestors while still keeping X-Frame-Options for legacy browsers (if a browser supports CSP then X-Frame-Options is effectively ignored), it is important to set equivalent directives for both headers to avoid unexpected results, here’s a comparison of the directives:

frame-ancestors                 X-Frame-Options

none                                        DENY

self                                           SAMEORIGIN

<uri>                                       ALLOW-FROM <uri>

 

X-Content-Type-Options

Prevents from MIME-sniffing a response from the declared content-type by adding this header to your web page’s HTTP response, This header instruct browser to consider files types as defined and disallow content sniffing. There is only one parameter you got to add “nosniff”.

 

You can use the HTTP Response Headers GUI in IIS Manager or add the following to your web.config:

1. Open IIS Manager and on the left hand tree, left click the site you would like to manage.
2. Double click the “HTTP Response Headers” icon.
3. Right click the header list and select “Add”
4. For the “name” write “X-Content-Type-Options” and for the value “nosniff”

Or add it to your web.config.

<configuration>

   <system.webServer>

      <httpProtocol>

         <customHeaders>

            <add name=”X-Content-Type-Options” value=”nosniff” />

         </customHeaders>

      </httpProtocol>

   </system.webServer>

</configuration>

Strict-Transport-Security

Http Strict-Transport-Security (HSTS) header:  ensure all communication from a browser is sent over https (http Secure).

This prevents https click through prompts and redirects HTTP requests to HTTPS.

Before implementing this header, make sure that all your web page is accessible over HTTPS otherwise they will be blocked.

The parameter for this header have three values.

Parameter                Meaning

max-age                     Duration (in seconds) to tell a browser that requests are available                                      only over HTTPS.

includeSubDomains  Configuration is valid for subdomain as well.

preload                        Use if you would like your domain to be included in the HSTS                                             preload list

 

In this example I’ll use max-age=3600; includeSubDomains; preload

 

Setting Strict-Transport-Security  in IIS

You can do this in Web.config but IIS Manager is just as easy.

1. Open IIS Manager and on the left hand tree, left click the site you would like to manage.
2. Double click the “HTTP Response Headers” icon.
3. Right click the header list and select “Add”
4. For the “name” write “Strict-Transport-Security” and for the value “max-age=3600; includeSubDomains; preload”

for example after adding Security Headers the web.config file will looks-like

 

I hope this post will be useful to you. Email me at itmug.pro@gmail.com for corrections, additions, or any questions. Good luck!