配置IIS服务器以使用“Content-Security-Policy”头 [英] Config your IIS server to use the "Content-Security-Policy" header
问题描述
我需要在IIS中为
Content-Security-Policy,X-Content-Type-Options和X-XSS-Protection添加自定义标题。
I need to add custom headers in IIS for "Content-Security-Policy", "X-Content-Type-Options" and "X-XSS-Protection".
我得到了添加这些标题的过程,但我不确定这些键的值应该是多少。
https://technet.microsoft。 com / pl-pl / library / cc753133(v = ws.10).aspx
I get the procedure to add these headers but i am not sure what should be the value of these keys. https://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx
http://content-security-policy.com/
请提出建议。谢谢
推荐答案
来自这篇文章,您似乎可以直接在IIS中定义内容安全策略(并反过来填充这些标题)配置文件。链接帖子中给出的示例
From this post, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration file. The example given in the linked post,
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';" />
</customHeaders>
</httpProtocol>
</system.webServer>
演示如何执行此操作;在您的配置文件中,在 httpProtocol
部分中,向包含该名称的 customHeaders
集合中添加一个条目(即Content-Security-Policy
以及一个定义您希望实现的CSP的值。在给出的示例中,实现了一个非常简单的CSP,它只允许来自本地站点的资源( self
)要加载。
demonstrates how to do this; in your config file, in the httpProtocol
section, add an entry to the customHeaders
collection containing the name (i.e. "Content-Security-Policy"
and a value defining the CSP you wish to implement. In the example given, a very simple CSP is implemented, which only allows resources from the local site (self
) to be loaded.
您链接的第二个资源列出了您可以在<$中使用的不同选项c $ c> customHeader ,以及它们有效值的示例。要记住的一件事是后续选项必须是;
-separated,以及字符串必须以最终;
结尾。
The second resource you linked lists the different options you can use in your customHeader
, and examples of their valid values. The one thing to remember is that subsequent options must be ;
-separated, and the string must end in a final ;
.
这篇关于配置IIS服务器以使用“Content-Security-Policy”头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!