In order to prepare the application to be exposed externally, a number of configuration changes need to be made to the relevant IIS server. In this case, the web server should be configured to send the following headers by default:
Header |
Value |
---|---|
X-Frame-Options |
SAMEORIGIN |
X-Content-Type-Options |
nosniff |
X-XSS-Protection |
1; mode=block |
Cache-Control |
no-cache, no-store, must-revalidate |
Content-Security-Policy |
default-src https: data: 'unsafe-inline' 'unsafe-eval' script-src: 'self' blob:; |
Strict-Transport-Security |
max-age=31536000; includeSubdomains |
For example:
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="Cache-Control" value="no-cache, no-store, must-revalidate" />
<add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline'
'unsafe-eval' script-src: 'self' blob:;" />
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubdomains"
/>
</customHeaders>
</httpProtocol>