Config your IIS server to use the “Content-Security-Policy” header

Question

I need to add custom headers in IIS for \"Content-Security-Policy\", \"X-Content-Type-Options\" and \"X-XSS-Protection\".

I get the procedure to add these headers b

Answer 1

From this post, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration file. The example given in the linked post,

demonstrates how to do this; in your config file, in the httpProtocol section, add an entry to the customHeaders collection containing the name (i.e. "Content-Security-Policy" and a value defining the CSP you wish to implement. In the example given, a very simple CSP is implemented, which only allows resources from the local site (self) to be loaded.

The second resource you linked lists the different options you can use in your customHeader, and examples of their valid values. The one thing to remember is that subsequent options must be ;-separated, and the string must end in a final ;.