Config your IIS server to use the "Content-Security-Policy" header

Question

I need to add custom headers in IIS for "Content-Security-Policy", "X-Content-Type-Options" and "X-XSS-Protection".

I get the procedure to add these headers but i am not sure what should be the value of these keys. https://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx

http://content-security-policy.com/

Please suggest. Thanks

Answer 1

From this post, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration file. The example given in the linked post,

<system.webServer>     <httpProtocol>         <customHeaders>             <add name="Content-Security-Policy" value="default-src 'self';" />         </customHeaders>     </httpProtocol> </system.webServer> 

demonstrates how to do this; in your config file, in the httpProtocol section, add an entry to the customHeaders collection containing the name (i.e. "Content-Security-Policy" and a value defining the CSP you wish to implement. In the example given, a very simple CSP is implemented, which only allows resources from the local site (self) to be loaded.

The second resource you linked lists the different options you can use in your customHeader, and examples of their valid values. The one thing to remember is that subsequent options must be ;-separated, and the string must end in a final ;.

Answer 2

An old question but since google drops you here...

I found a great "builder" for CSP options:

https://report-uri.io/home/tools/

Now this does appear to be a "link only answer" but in fact, the link is a fully built CSP editor, you click the boxes, select your websites you need in your CSP and the CSP string comes back configured for you (just copy and paste the result into your header for Content-Security-Policy). I couldn't HOPE to replicate the functionality in this answer hence the link.