Securing your IIS server

When ABBYY FlexiCapture 12 is deployed, the default IIS security configuration settings are used. You can also set up additional rules for specific requests to make your web server more secure.

The Content-Security-Policy Header

Content Security Policy (CSP) is a security standard used by modern browsers to protect against data injection attacks, such as cross-site scripting (XSS). CSP uses a whitelist to determine which resources are safe to load and ignores unverified sources. It also logs any attempts to bypass the security policy.

To make use of this policy, the server must have a Content-Security-Policy HTTP header with one or more directives set up, with each directive responsible for a specific resource type. Directives set out a security policy by declaring rules for resources.

To set up CSP for your browser, add the following code into your web.config file:

<system.webServer> 
<httpProtocol> 
<customHeaders> 
<add name="Content-Security-Policy" value="default-src https: 'unsafe-inline' 'unsafe-eval'" /> 
</customHeaders> 
</httpProtocol> 
</system.webServer>
    

Note: If you need to integrate ABBYY FlexiCapture with third-party systems and require access to other hosts, specify them in the web.config file. Be sure to check the operation of the software each time you change your security configuration settings.

For more information about the Content-Security-Policy header, see this website.

The HTTP Strict-Transport-Security Header

HTTP Strict-Transport-Security (HSTS) is a website protection mechanism that restricts all interactions between the browser and the website to a secure connection using the SSL protocol. A web server that has HSTS set up contains an instruction for the browser to exclusively use HTTPS and forbids it from using HTTP. HSTS is primarily used to fend off interception attacks involving queries and responses, e.g. MITM (Man-In-The-Middle) attacks.  

To be able to use this security policy, you need to use URL address rewrite rules to add a Strict-Transport-Security (STS) header to HTTP responses. This is necessary to prevent unwanted HTTP queries and redirect all HTTP traffic to HTTPS (based on the logic set out in the rules). To set up the rules, you need to install the URL Rewrite module. For more information, please see the Microsoft website.

To set up HSTS for your browser, add the following code into your web.config file:

<rule name="Add the STS header in HTTPS responses">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule> 
    

Note: The max-age directive specifies the time period (in seconds) during which the rule will be applied. The value specified in the code snippet above equals a period of one year.

For more information about HSTS, please see the Microsoft website.

The X-Powered-By and X-AspNet-Version Headers

Apart from HTTP headers that are essential for improving the security of your web server, there are also headers that are optional. Often, such optional headers are not governed by any standards and their use increases the amount of traffic generated by each HTTP query, making it easier to carry out malicious attacks.

The following are two such optional headers:

  • X-Powered-By is an HTTP header that contains information about various technologies used by the web server.
  • X-AspNet-Version is an HTTP header that contains information about the ASP.NET version that is used to deploy applications on the web server.

By default, both X-Powered-By and X-AspNet-Version are included in server responses. We recommend that you disable these headers, since providing identifying information can pose a security threat.

To remove the X-Powered-By header from the IIS configuration, paste the following code into your web.config file:

<httpProtocol> 
<customHeaders> 
<remove name="X-Powered-By" />   
</customHeaders></httpProtocol> 
    

To remove the X-AspNet-Version header from your IIS configuration, paste the following code into your web.config file:

<httpRuntime enableVersionHeader="false" />
    

The X-XSS-Protection Header

X-XSS-Protection is an HTTP header that is used by browsers to prevent Cross-Site Scripting attacks. The header works by enabling an XSS filter, which intercepts unwanted attempts to insert malicious third-party code into web pages opened on a browser.

X-XSS-Protection is compatible with the following browsers: Internet Explorer 8+, Chrome, and Safari. However, most modern browsers use a stricter security policy (e.g. Content-Security-Policy), which makes this header necessary only if you are using an older browser that does not support CSP.

To enable the X-XSS-Protection header for your browser, copy the following code to your web.config file:

<system.webServer> 
<httpProtocol> 
<customHeaders> 
<add name="X-XSS-Protection" value="1; mode=block" /> 
</customHeaders> 
</httpProtocol> 
</system.webServer>
    

The X-Content-Type-Options Header

X-Content-Type-Options is an HTTP header that is used by browsers to prevent attacks that exploit MIME (Multipurpose Internet Mail Extensions) vulnerabilities. MIME is an Internet standard for content that is sent over an internet connection. All files served by the web server are processed by browsers in a manner that depends on the MIME type of those particular files. Browsers determine the resource type by either using the Content-Type response, or by inspecting the resource contents, which makes it possible for attackers to mask HTML files as files of a different type.

The only directive available for this header is the nosniff directive. It instructs browsers to use only the MIME type that was specified by the web server.

To enable the X-Content-Type-Options header for your browser, paste the following code into your web.config file:

<system.webServer> 
<httpProtocol> 
<customHeaders> 
<add name="X-Content-Type-Options" value="nosniff" /> 
</customHeaders> 
</httpProtocol> 
</system.webServer> 
  

10.11.2020 12:08:03


Please leave your feedback about this article