How to fix Content Security Policy (CSP) Missing

To check the IIS security headers on a site you can use this tool to scan the address

Scan results for google.com (securityheaders.com)

We found that we were getting lower grades because the Content-Security-Policy (CSP) wasn’t set as per below:

Application Security Medium severity

Content Security Policy (CSP) Missing

5.0score impact

DESCRIPTION

The Content Security Policy provides a valuable safety net that protects your website from malicious cross-site scripting (XSS) attacks. A well configured policy will stop an attacker attempting to inject their code, or references to other malicious content, into your website. Without a Content Security Policy, it’s easy for website developers to make mistakes that allow an attacker to inject content that changes the way the website behaves.

RISK

A Content Security Policy (CSP) directive tells a web browser what locations it can load resources from when rendering a webpage. This helps prevent mistaken or malicious resources from being injected into a webpage (and then executed by a user’s browser).

RECOMMENDATION

Enable CSP headers via your webserver configuration.

REFERENCES

• Full listing of policy directives.
  

https://serverfault.com/questions/932273/content-security-policy-for-exchange-2016

https://scotthelme.co.uk/hardening-your-http-response-headers/

To fix this,

For Exchange 2016

In IIS Manager open the HTTP Response Headers

Under Actions in the top right click ADD

Add the following

Name: Content-Security-Policy

Value: default-src ‘self’ https://*.microsoft.com https://*.sharepointonline.com data: ‘unsafe-inline’; script-src ‘self’ https://*.microsoft.com https://*.sharepointonline.com ‘unsafe-inline’ ‘unsafe-eval’; img-src data: https:;

For a Regular Web Server

The same as above but with a different Value:

Name: Content-Security-Policy

Value: default-src ‘self’