IIS: improve websites security by adding http headers

One way to improve asp.net MVC website security is to add http custom headers on IIS. To do that you need to open IIS by typing inetmgr on Run, then open the particular website on the Connections pane on the left side and click on Http Response Headers inside the website’s Home pane. After that you can add the http headers accordingly as show in the picture below.

iis http response headers
iis http response headers

After changing IIS configurations above, you may consider to asses the current condition of your website http headers by scanning you web application on this app.

scan securityheaders io
scan securityheaders io

The securityheaders.io will score your website and show if there’s any missing http headers related to security such as:

  • Referrer-Policy
  • Strict-Transport-Security
  • X-Content-Type-Options
  • x-frame-options
  • X-XSS-Protection
  • Content-Security-Policy

This article only explains how to add custom header on asp.net mvc using IIS. You can checkout a blogpost by Damienbod which explains how to do it on asp.net core MVC aplication by configuring the Startup file.

 

Links:

https://www.xolphin.com/support/ssl/IIS_FAQ/IIS_-_Configuring_HTTP_Strict_Transport_Security

https://www.troyhunt.com/shhh-dont-let-your-response-headers/

Iklan

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout /  Ubah )

Foto Google+

You are commenting using your Google+ account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )

Connecting to %s