missing hsts header, missing content-security on most of my pages

missing hsts header, missing content-security on most of my pages

problem

I had missing headers

I did a bit of a google because I was getting a lot of missing hsts header, missing content-security on most of my pages

and these....

X-Frame-Options SAMEORIGIN;

X-XSS-Protection "1; mode=block";

X-Content-Type-Options nosniff;

Strict-Transport-Security

solution

I have found 2 ways to add custom headers - you might want to add this to your FAQ

@add to your web.config (see below)

@ Plesk IIS settings

in httpProtocol customHeaders

name="X-Content-Type-Options" value="nosniff"

name="X-Frame-Options" value="SAMEORIGIN"/>

name="Referrer-Policy" value="strict-origin"/>

name="Content-Security-Policy"

value="

default-src 'self' w.soundcloud.com *.youtube-nocookie.com;

connect-src 'self';

img-src 'self' *.mzstatic.com;

style-src 'self' 'unsafe-inline';

base-uri 'self';

script-src 'self' 'unsafe-inline' *.youtube.com;

form-action 'self'"

security
Author: Benny Sutton
Keywords: security