Security Headers

Adding security headers to IIS

Published on Wednesday, February 17, 2021
Security

Adding Security Headers to IIS using web.config

So you just setup a brand new website hosted in IIS and everything is finally functional.

Now it's time to head over to https://securityheaders.com and scan your site, you'll probably see a grade like this:

F

Bummer.

Thankfully, this can be fixed by telling IIS to return these missing security headers. Add a <customHeaders> section to your web.config.

Here's an example for this site:

Note: Your values will be different based on the needs of your site, but this should give you a starting point.

<httpProtocol>
  <customHeaders>
    <clear /> <!-- Clear any existing headers -->
    <add name="Content-Security-Policy" value="script-src chase.banna.us fonts.googleapis.com cdn.jsdelivr.net" />
    <add name="X-Frame-Options" value="SAMEORIGIN" />
    <add name="X-Content-Type-Options" value="nosniff" />
    <add name="Referrer-Policy" value="same-origin" />
    <add name="Permissions-Policy" value="microphone=(); geolocation=()" />
  </customHeaders>
</httpProtocol>

Content-Security-Policy is the first header we'll add. It defines the list of approved content sources that the browser may load. In this example we are telling the browser it's allowed to load resources from the following domains:

  • chase.banna.us
  • fonts.googleapis.com (fonts)
  • cdn.jsdelivr.net (javascript CDN)

Use caution here and make sure you include all the domains your site requests resources from. If you miss a domain, your site might not look or function correctly.

X-Frame-Options: SAMEORIGIN - Prevents other sites from hosting your site in an <iframe>.

X-Content-Type-Options: nosniff - Prevents the browser from trying to mime-sniff the content-type of a response.

Referrer-Policy: same-origin - Prevents the browser from including referrer headers when navigating from your site to another site. Referrer headers are still included when navigating to other pages on your site.

Permissions-Policy: microphone=(); geolocation=() - Controls which features and APIs can be used in the browser. In our example, microphone and geolocation are explicitly disabled.

There is a lot more information about these headers at Scott Helme's site:

Let's deploy our changes to the website and see what progress we've made.

E

Much better.