Config your IIS server to use the “Content-Security-Policy” header

Question

I need to add custom headers in IIS for \"Content-Security-Policy\", \"X-Content-Type-Options\" and \"X-XSS-Protection\".

I get the procedure to add these headers b

Answer 1

Content Security Policy settings can vary significantly from site to site based on whether scripts are local or you're using external CDNs, etc.. So in order to try and find out the setting that best suits your app, you can use a Report Only version:

"By adding this header instead of Content-Security-Policy, the browser will keep telling when something isn't allowed, but allow it anyway. This way you can keep an eye on the console, when running your website in production. When all error messages in the console are gone, you switch back to the original header." ref. https://blog.elmah.io/content-security-policy-in-asp-net-mvc/