sfx wall

sfx wall

  • NA
  • 108
  • 7.8k

Content security policy header list using web config file

Jul 22 2019 7:07 AM
I am Facing following Content Security Policy issue in my existing mvc project.
We used https://sitecheck.sucuri.net/ to check security scan
Issue -
Security Headers
Missing security header for XSS Protection. Affected pages:
Missing security header to prevent Content Type sniffing. Affected pages:
Missing Strict-Transport-Security security header. Affected pages:
Default server banners displayed. Your site is displaying your web server default banners. Affected pages:
https://www.example.com/404javascript.js
https://www.example.com/404testpage4525d2fdc
We are trying to resolve that using web config file with following configuration:
`<customHeaders>
<remove name="X-Powered-By" />
<add name="X-Frame-Options" value="DENY" />
<add name="X-Xss-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Referrer-Policy" value="no-referrer" />
<add name="X-Permitted-Cross-Domain-Policies" value="none" />
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
<add name="Feature-Policy" value="accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" />
</customHeaders>
<httpRuntime targetFramework="4.6.1" maxRequestLength="1048576" requestValidationMode="4.0" executionTimeout="110" enableVersionHeader="false" />`
But we are still facing same issue after changing configuration, please look at our process where we are wrong or any alternate solution.

Answers (3)