To check the IIS security headers on a site you can use this tool to scan the address

Scan results for (

We found that we were getting lower grades because the Content-Security-Policy (CSP) wasn’t set as per below:

Application Security Medium severity

Content Security Policy (CSP) Missing

5.0score impact


The Content Security Policy provides a valuable safety net that protects your website from malicious cross-site scripting (XSS) attacks. A well configured policy will stop an attacker attempting to inject their code, or references to other malicious content, into your website. Without a Content Security Policy, it’s easy for website developers to make mistakes that allow an attacker to inject content that changes the way the website behaves.


A Content Security Policy (CSP) directive tells a web browser what locations it can load resources from when rendering a webpage. This helps prevent mistaken or malicious resources from being injected into a webpage (and then executed by a user’s browser).


Enable CSP headers via your webserver configuration.


To fix this,

For Exchange 2016

In IIS Manager open the HTTP Response Headers

Under Actions in the top right click ADD

Add the following

Name: Content-Security-Policy

Value: default-src ‘self’ https://* https://* data: ‘unsafe-inline’; script-src ‘self’ https://* https://* ‘unsafe-inline’ ‘unsafe-eval’; img-src data: https:;

For a Regular Web Server

The same as above but with a different Value:

Name: Content-Security-Policy

Value: default-src ‘self’