Security Header Considerations

Author	« Topic »
joetuesday Advanced Member 183 Posts Pre-sales questions only (More Details...)	Posted - 07/06/2024 : 12:47:50 Hi - I use .asp and am going through a technical site audit - may I ask if there are any considerations or issues I might face by installing various security / site headers site wide? They would be done so at the server level or via web.config. We serve all pages of HTTPS - See below and thanks: It's for these types of headers: X-Frame-Options Content-Security-Policy Strict-Transport-Security (HSTS) Referrer-Policy X-Content-Type-Options Code: <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="Referrer-Policy" value="strict-origin-when-cross-origin" /> <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" /> <add name="Content-Security-Policy" value="default-src https: 'self'; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; style-src https: 'self' 'unsafe-inline';" /> </customHeaders> </httpProtocol> Joe
Vince Administrator 42632 Posts	Posted - 07/09/2024 : 10:39:31 Hi Joe I don't think so. But really, what you should do is just test the site thoroughly after adding the headers and make sure nothing goes wrong. But I think you'll be ok. Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
joetuesday Advanced Member 183 Posts Pre-sales questions only (More Details...)	Posted - 07/10/2024 : 06:57:54 Thank you - this was really more of a hosting question and probably should have been asked somewhere like webmaster world. Joe
Dermontti Advanced Member USA 160 Posts	Posted - 07/26/2024 : 07:30:33 We have been running with the below in web.config for over 8 months and have not seen any issues. Just make sure 'unsafe-inline' is always in the CSP since there are many onClick() JavaScript functions used across the site. It lowers the overall security, but sometimes you need it for the website to function. I had to use this in a personal website using the EJS templating engine in the past because the alternative to onClick() was too timely to implement. <httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=86400; includeSubDomains; preload" /> <add name="X-XSS-Protection" value="1; mode=block" /> <add name="X-Frame-Options" value="DENY" /> </customHeaders> </httpProtocol> <security> <requestFiltering removeServerHeader="true" /> </security>
joetuesday Advanced Member 183 Posts Pre-sales questions only (More Details...)	Posted - 07/26/2024 : 07:49:13 Thank you Dermontti - It's always a little touchy to implement site wide changes and all imput helps - thanks so much for your feedback. Joe
Dermontti Advanced Member USA 160 Posts	Posted - 07/26/2024 : 08:12:32 Anytime. I need to get around to testing the CSP header as well.
	« Topic »