How to add the HTTP Content-Security-Policy header to a NuGenesis web server - WKB239682

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Article number: 239682

OBJECTIVE or GOAL

Add the "Content-Security-Policy" HTTP response header to the websites/applications in Microsoft IIS.

ENVIRONMENT

Windows Server 2019/2016/2012
IIS has one or more websites with a valid binding for HTTPS
NuGenesis 9
NuGenesis 8

PROCEDURE

Open IIS Manager on the web server.
Connect to the local server.
Expand the Sites tree, double-click Default Web Site, and select one of the applications.
Double-click HTTP Response Codes.
Click Add.
Specify the following for the header name:
- ```
Content-Security-Policy
```
Specify the following for the header value:
- ```
style-src https://servername
```
Click OK.
Restart the web server.

ADDITIONAL INFORMATION

This header adds the "style-src" directive to all pages served by IIS. It ensures that the stylesheets for the web pages are loaded only from the specified server (the web server itself) rather than from identically named files on other sources.

If the style-src declaration doesn't match the host as specified in the URL - for example, a machine's domain membership is changed - then the CSS stylesheets will not be applied. The web site will look vastly different from it's normal appearance and likely won't be functional. The following message will be logged in the browser's console, once for each stylesheet that doesn't match the style-src declaration:

Refused to load the stylesheet 'https://servername.domain/sitename/p...stylesheet.css' because it violates the following Content Security Policy directive: "style-src https://servername". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

id239682, NGLMS, NGLMSLIC, NGLMSOPT, SDMS, SDMS8, SDMS8NU, SUPISDMS, SUPNG