How to add the HTTP Content-Security-Policy header to a NuGenesis web server - WKB239682

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Article number: 239682

OBJECTIVE or GOAL

Add the "Content-Security-Policy" HTTP response header with the "style-src" and "frame-ancestor" directives to the websites/applications in Microsoft IIS.

ENVIRONMENT

Windows Server 2019/2016/2012
IIS has one or more websites with a valid binding for HTTPS
NuGenesis 9
NuGenesis 8

PROCEDURE

Open IIS Manager on the web server
Connect to the local server
Expand the Sites tree and select Default Web Site
Double-click HTTP Response Codes
Click Add
Specify the following for the header name:
- ```
Content-Security-Policy
```

Specify the following for the header value:

style-src 'self' 'unsafe-inline'; frame-ancestors 'self';

Click OK
Repeat steps 3 through 8 for the following sites:
- SampleShare (v8.0+)
- SampleShareService (v8.0+)
- WATERSLMS (v8.0+)
- AuditTrailClientApp (v9.1+)
- AuditTrailWebServer (v9.1+)
- SdmsIdentity (v9.3+)
- SdmsProjects (v9.3+)
- SdmsProjectServers (v9.3+)
- SdmsSdkGateway (v9.3+)
- SdmsUserPreferences (v9.3+)
- SdmsVision (v9.3+)

ADDITIONAL INFORMATION

The Content-Security-Policy has many "Directives" defined in the standards documents. These directives generally inform the web browser of how, or whether, to load external content for a web site. Many of the directives do not apply to NuGenesis web applications. This article concerns only the two directives that affect the NuGenesis web apps.

This header adds the "style-src" directive to all pages served by IIS. It ensures that the stylesheets for the web pages are loaded only from the specified server (the web server itself) rather than from identically named files on other sources.

If the style-src declaration doesn't match the host as specified in the URL - for example, a machine's domain membership is changed - then the CSS stylesheets will not be applied. The web site will look vastly different from it's normal appearance and likely won't be functional. The following message will be logged in the browser's console, once for each stylesheet that doesn't match the style-src declaration:

Refused to load the stylesheet 'https://servername.domain/sitename/p...stylesheet.css' because it violates the following Content Security Policy directive: "style-src https://servername". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

The "frame-ancestors" directive instructs the web browser to load the page in an iframe or frame tag only if the the parent HTML meets the conditions specified in the origin. The recommendation here is to use the 'self' parameter for this directive. The effect is identical to the "X-Frame-Options: sameorigin" header: the page will load in an iframe only if the origin of the frame HTML is the same as the origin of the content of the frame.

Content-Security-Policy (CSP) header - HTTP | MDN