Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Quick and dirty commands to set basic security header in IIS
### Quick and dirty command set to set basic security header on IIS
## Please adjust the values according to your requirements
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Cache-Control';value='max-age=31536000'}
Write-Host 'Cache-Control header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Permissions-Policy';value='fullscreen=(), geolocation=()'}
Write-Host 'Permissions-Policy header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Referrer-Policy';value='strict-origin-when-cross-origin'}
Write-Host 'Referrer-Policy header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Strict-Transport-Security';value='max-age=31536000; includeSubdomains'}
Write-Host 'strict-transport-security header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='X-Content-Type-Options';value='nosniff'}
Write-Host 'X-Content-Type-Options header is set.'#Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='X-Frame-Options';value='DENY'}
Write-Host 'X-Frame-Options header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='X-Permitted-Cross-Domain-Policies';value='none'}
Write-Host 'X-Permitted-Cross-Domain-Policies header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='X-XSS-Protection';value='1; mode=block'}
Write-Host 'X-XSS-Protection header is set.' #Please adjust as required
Add-WebConfigurationProperty //system.webServer/httpProtocol/customHeaders "IIS:\sites\" -AtIndex 0 -Name collection -Value @{name='Content-Security-Policy';value="default-src 'self'; script-src 'self'"}
Write-Host 'Content-Security-Policy header is set.' #Please adjust as required
@michiiii
Copy link
Author

michiiii commented Jun 9, 2021

Feature-Policy has been renamed to Permissions-Policy.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy

Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment