Security Testing

Thursday, July 5, 2018

Security Header

Below all headers are mitigating Cross-site scripting.



Content Security Policy Header:-
system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="default-src 'self';'unsafe-inline' 'unsafe-eval';" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

X-Content-Type-Options header:-

system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Content-Type-Options" value="nosniff" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

X-XSS-Protection header:-
system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-XSS-Protection" value="1; mode=block"></add>
   </customHeaders>
  </httpProtocol>
</system.webServer>

Missing X-Frame-Scripting Header:-
system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Missing strict-transport-security header:-
system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
    </customHeaders>
  </httpProtocol>

</system.webServer>
Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)