X-Content-Type-Options标头禁用浏览器会自动嗅探文档MIME类型;
缺失X-XSS-Protection会导致浏览器关闭自身的XSS防护能力,提高了安全风险;
Strict-Transport-Security头告诉浏览器只能通过HTTPS访问当前资源, 禁止HTTP方式;
缺失X-Frame-Options头部可能导致用户页面被嵌入透明的iframe标签,从而导致点击劫持攻击的发生。
Content-Security-Policy控制为指定的页面加载哪些资源,缺失该响应头部可能造成XSS攻击影响面扩大,但该配置不支持ie9,对ie10、ie11有限支持。
X-Powered-By 可用于删除iis版本号(eg:X-Powered-By: ASP.NET)
removeServerHeader="true"删除server(eg:Server: Microsoft-IIS/10.0)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpRedirect enabled="false" destination="/index.html" />
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Content-Security-Policy" value="default-src 'self';" />
<add name="Strict-Transport-Security" value="max-age=31536000" />
</customHeaders>
</httpProtocol>
<security>
<requestFiltering removeServerHeader="true">
<verbs>
<add verb="*" allowed="false" />
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
参考
https://caniuse.com/contentsecuritypolicy
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options
