IIS, Non-functional Requirements

Some useful headers to add in IIS to improve security.

We use the OWASP ZAP tool to do some quick penetration testing on our site. This is a great free tool, and can be used as part of your continuous integration suite.

One of the things it looks for is whether your web application has some useful security related HTTP Headers. OWASP has a good list here and there’s 3 that I think are particularly important for you to configure in IIS.

You can look at headers for a site using http://cyh.herokuapp.com/cyh. This is a really excellent site and application – it highlights headers that it recognises as correctly configured, as well as warning about those which it might be configured wrongly or just plain missing. And even better than that, it recommends what the header should be – very nice constructive criticism!

The suggestions below obviously aren’t comprehensive – just part of what you could/should be doing.

Help Protect against Clickjacking

X-Frame-Options: deny

This makes sure you’re not accidentally rendering content inside a frame that you don’t intend to.

Help Protect against Cross Site Scripting (XSS)

X-XSS-Protection: 1; mode=block

Modern web browsers have some XSS protection built in by default, but having this header on your site is a good belt-and-braces approach to making sure it’s active (in case it has been disabled for some reason).

Help Protect against Drive-by-Downloads

X-Content-Type-Options: nosniff

This makes sure that IE and Chrome won’t look at some content and try to “sniff” the mime-type, which could cause content to be treated as an executable.

Final note – a colleague of mine who’s another Technical Architect suggested this – a way of using Powershell to add these headers to your IIS instance, so this can be part of your continous deployment practice. This way you’ll not forget those headers when you set up a new environment!