HTTP Security Headers for IIS 8 and up

Bored of those wannabe “Security Researchers” who respond to your Bug Bounty program because you don’t have a HSTS policy set or some ‘exploit’ that you can only do to yourself? Here I wrote down a few examples that you can copy/paste in your Powershell console to apply to your sites.

Of course, be careful and read up about the possible consequences of these settings! I will try to give a brief overview about the possibilities where it applies in a later stage.


Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Cache-Control';value='max-age=31536000'}
Write-Host 'Cache-Control header is set.'
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Feature-Policy';value='sync-xhr 'self''}
Write-Host 'Feature-Policy header is set.'
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Referrer-Policy';value='strict-origin-when-cross-origin'}
Write-Host 'Referrer-Policy header is set.'
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='strict-transport-security';value='max-age=31536000; includeSubdomains'}
Write-Host 'strict-transport-security header is set.'
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='X-Content-Type-Options';value='nosniff'}
Write-Host 'X-Content-Type-Options header is set.'
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='X-Frame-Options';value='DENY'}
Write-Host 'X-Frame-Options header is set.'
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='X-Permitted-Cross-Domain-Policies';value='none'}
Write-Host 'X-Permitted-Cross-Domain-Policies header is set.'
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='X-XSS-Protection';value='1; mode=block'}
Write-Host 'X-XSS-Protection header is set.'

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.