How to Implement Security Headers on IIS and Prevent Vulnerabilities.
In this article I will talk about HTTP Header types and walk you through the steps to secure website and IIS server from Clickjacking, code injection, MIME types, XSS, etc
Although you can apply some of this setting at the Code Level, however some prefer to set headers at the Server Level which I will cover in this post.
Content Security Policy – CSP
The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring, which dynamic resources are allowed to load.
Any server side programming environment should allow you to send back a custom HTTP response header. You can also use your web server to send back the header
CSP have a multiple parameters, for details info refer to OWASP site, the following are the two most used parameters.
Parameter Meaning
default-src Load everything from a defined source
script-src Load only scripts from defined source
You can use the HTTP Response Headers GUI in IIS Manager or add the following to your web.config:
Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Double click the “HTTP Response Headers” icon.
- Right click the header list and select “Add”
- For the “name” write “Content-Security-Policy” and for the value “default-src ‘self’”
Or add it to your web.config.
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name=” Content-Security-Policy” value=” default-src ‘self'” />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Note: It is known that having both Content-Security-Policy and X-Content-Security-Policy or X-Webkit-CSP causes unexpected behaviours on certain versions of browsers. Please avoid using deprecated X-* headers.
X-Permitted-Cross-Domain-Policies
This header will allows to control and handle the requests over a cross domain. example you can restrict loading your site’s assets from other domain. (avoid resource abuse)
Value Description
none no policy is allowed
master-only allow only the master policy
all everything is allowed
by-content-only Allow only a certain type of content. Example – XML
by-ftp-only applicable only for an FTP server
X-XSS-Protection
X-XSS-Protection header improve the security of your site against some types of XSS (cross-site scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android.
The parameter for this header have four values.
Parameter Meaning
0 XSS filter disabled
1 XSS filter enabled and sanitized the page if attack detected
1;mode=block XSS filter enabled and prevented rendering the page if attack detected
1;report=http:// XSS filter enabled and reported the violation if attack detected
example.com/report_URI
In this example I’ll use 1;mode=block
Setting X-XSS-Protection in IIS
You can use the HTTP Response Headers GUI in IIS Manager or add the following to your web.config:
Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Double click the “HTTP Response Headers” icon.
- Right click the header list and select “Add”
- For the “name” write “X-XSS-Protection” and for the value “1;mode=block”
Note: Google, Facebook, Github use this header, and most of the penetration testing consultancy will ask you to implement this.
X-Frame-Options
X-Frame-Options header is use to prevent Clickjacking vulnerability on your website. By setting this header will prevents an attacker from iframing the content of your site into others.
The parameter for this header have three values.
Parameter Meaning
SAMEORIGIN Frame/iframe of content is only allowed from the same site origin.
DENY Prevent any domain to embed your content using frame/iframe.
ALLOW-FROM Allow framing the content only on particular URI.
In this example I’ll use “sameorigin”
Setting X-Frame-Options in IIS
You can do this in Web.config but IIS Manager is just as easy.
- Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Double click the “HTTP Response Headers” icon.
- Right click the header list and select “Add”
- For the “name” write “X-Frame-Options” and for the value “sameorigin”
Or add it to your web.config.
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name=”X-Frame-Options” value=”sameorigin” />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Note:
You can add frame-ancestors while still keeping X-Frame-Options for legacy browsers (if a browser supports CSP then X-Frame-Options is effectively ignored), it is important to set equivalent directives for both headers to avoid unexpected results, here’s a comparison of the directives:
frame-ancestors X-Frame-Options
none DENY
self SAMEORIGIN
<uri> ALLOW-FROM <uri>
X-Content-Type-Options
Prevents from MIME-sniffing a response from the declared content-type by adding this header to your web page’s HTTP response, This header instruct browser to consider files types as defined and disallow content sniffing. There is only one parameter you got to add “nosniff”.
You can use the HTTP Response Headers GUI in IIS Manager or add the following to your web.config:
- Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Double click the “HTTP Response Headers” icon.
- Right click the header list and select “Add”
- For the “name” write “X-Content-Type-Options” and for the value “nosniff”
Or add it to your web.config.
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name=”X-Content-Type-Options” value=”nosniff” />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Strict-Transport-Security
Http Strict-Transport-Security (HSTS) header: ensure all communication from a browser is sent over https (http Secure).
This prevents https click through prompts and redirects HTTP requests to HTTPS.
Before implementing this header, make sure that all your web page is accessible over HTTPS otherwise they will be blocked.
The parameter for this header have three values.
Parameter Meaning
max-age Duration (in seconds) to tell a browser that requests are available only over HTTPS.
includeSubDomains Configuration is valid for subdomain as well.
preload Use if you would like your domain to be included in the HSTS preload list
In this example I’ll use max-age=3600; includeSubDomains; preload
Setting Strict-Transport-Security in IIS
You can do this in Web.config but IIS Manager is just as easy.
- Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Double click the “HTTP Response Headers” icon.
- Right click the header list and select “Add”
- For the “name” write “Strict-Transport-Security” and for the value “max-age=3600; includeSubDomains; preload”
for example after adding Security Headers the web.config file will looks-like
I hope this post will be useful to you. Email me at itmug.pro@gmail.com for corrections, additions, or any questions. Good luck!