IIS: improve websites security by adding http headers

One way to improve asp.net MVC website security is to add http custom headers on IIS. To do that you need to open IIS by typing inetmgr on Run, then open the particular website on the Connections pane on the left side and click on Http Response Headers inside the website’s Home pane. After that you can add the http headers accordingly as show in the picture below.

iis http response headers
iis http response headers

After changing IIS configurations above, you may consider to asses the current condition of your website http headers by scanning you web application on this app.
scan securityheaders io
scan securityheaders io

The securityheaders.io will score your website and show if there’s any missing http headers related to security such as:

  • Referrer-Policy
  • Strict-Transport-Security
  • X-Content-Type-Options
  • x-frame-options
  • X-XSS-Protection
  • Content-Security-Policy

This article only explains how to add custom header on asp.net mvc using IIS. You can checkout a blogpost by Damienbod which explains how to do it on asp.net core MVC aplication by configuring the Startup file.
 
Links:
https://www.xolphin.com/support/ssl/IIS_FAQ/IIS_-_Configuring_HTTP_Strict_Transport_Security
https://www.troyhunt.com/shhh-dont-let-your-response-headers/

Published by Gadael Sedubun

Developer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: