To check the IIS security headers on a site you can use this tool to scan the address
We found that we were getting lower grades because the Content-Security-Policy (CSP) wasn’t set as per below:
Application Security Medium severity
Content Security Policy (CSP) Missing
The Content Security Policy provides a valuable safety net that protects your website from malicious cross-site scripting (XSS) attacks. A well configured policy will stop an attacker attempting to inject their code, or references to other malicious content, into your website. Without a Content Security Policy, it’s easy for website developers to make mistakes that allow an attacker to inject content that changes the way the website behaves.
A Content Security Policy (CSP) directive tells a web browser what locations it can load resources from when rendering a webpage. This helps prevent mistaken or malicious resources from being injected into a webpage (and then executed by a user’s browser).
Enable CSP headers via your webserver configuration.
To fix this,
For Exchange 2016
In IIS Manager open the HTTP Response Headers
Under Actions in the top right click ADD
Add the following
Value: default-src ‘self’ https://*.microsoft.com https://*.sharepointonline.com data: ‘unsafe-inline’; script-src ‘self’ https://*.microsoft.com https://*.sharepointonline.com ‘unsafe-inline’ ‘unsafe-eval’; img-src data: https:;
For a Regular Web Server
The same as above but with a different Value:
Value: default-src ‘self’