I need to add custom headers in IIS for "Content-Security-Policy", "X-Content-Type-Options" and "X-XSS-Protection".
I get the procedure to add these headers but i am not sure what should be the value of these keys. https://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx
http://content-security-policy.com/
Please suggest. Thanks
From this post, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration file. The example given in the linked post,
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';" />
</customHeaders>
</httpProtocol>
</system.webServer>
demonstrates how to do this; in your config file, in the httpProtocol section, add an entry to the customHeaders collection containing the name (i.e. "Content-Security-Policy" and a value defining the CSP you wish to implement. In the example given, a very simple CSP is implemented, which only allows resources from the local site (self) to be loaded.
The second resource you linked lists the different options you can use in your customHeader, and examples of their valid values. The one thing to remember is that subsequent options must be ;-separated, and the string must end in a final ;.
An old question but since google drops you here...
I found a great "builder" for CSP options:
https://report-uri.io/home/tools/
Now this does appear to be a "link only answer" but in fact, the link is a fully built CSP editor, you click the boxes, select your websites you need in your CSP and the CSP string comes back configured for you (just copy and paste the result into your header for Content-Security-Policy). I couldn't HOPE to replicate the functionality in this answer hence the link.
Open Web Application Security Project (OWASP) has a couple of Content-Security-Policy examples and some useful links on their Content Security Policy Cheat Sheet under Preventing Clickjacking:
To prevent all framing of your content use:
Content-Security-Policy: frame-ancestors 'none'To allow for your site only, use:
Content-Security-Policy: frame-ancestors 'self'To allow for trusted domain (my-trusty-site.com), do the following:
Content-Security-Policy: frame-ancestors my-trusty-site.com
Mozilla Developers Network has full syntax and examples for both Content-Security-Policy and X-ContentTypeOptions:
X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/ X-Content-Type-Options: nosniff
Here is an X-XSS-Protection example:
X-XSS-Protection: 1; mode=block
On Server 2012 R2:
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 冷血范 的文章《Config your IIS server to use the “Content-Securit》','https://www.manongdao.com/article-572157.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}