missing hsts header, missing content-security on most of my pages
🛡️ Problem
I had missing headers.
After some digging (and a bit of Googling), I realized that many of my pages were missing essential security headers, including:
Strict-Transport-SecurityX-Frame-Options: SAMEORIGINX-XSS-Protection: "1; mode=block"X-Content-Type-Options: nosniffContent-Security-Policy
✅ Solution
I found two reliable ways to add these headers on an IIS-hosted website — worth adding to your FAQ if you manage servers or offer hosting support:
📄 1. Update web.config
Add the following inside your <system.webServer> section:
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="Referrer-Policy" value="strict-origin" />
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
<add name="Content-Security-Policy" value="
default-src 'self' w.soundcloud.com *.youtube-nocookie.com;
connect-src 'self';
img-src 'self' *.mzstatic.com;
style-src 'self' 'unsafe-inline';
base-uri 'self';
script-src 'self' 'unsafe-inline' *.youtube.com;
form-action 'self'" />
</customHeaders>
</httpProtocol>
💡 This sets your security headers for every request.
🧩 2. Use Plesk IIS Settings
If you're on Plesk or another control panel, you can often set these headers through the Web Hosting Settings under IIS options — no need to edit the config file directly.
📌 Summary
By configuring these headers either in web.config or through your host’s control panel, you’ll improve your:
- Browser security
- Content policy enforcement
- SEO ranking (yes, Google loves secure sites!)
🔐 Already done in my DevStack project? Of course.
I’ve baked this in alongside CSP, HSTS, and other modern security best practices so you don’t have to.
Need help implementing it across your ASP.NET or IIS sites?