拾人牙慧 – 強化 IIS 安全性 ( web.config )

網路上，已有許多大神針對IIS做了許多強化安全性的教學，

只因小弟學疏才淺，所以匯整一下網路上相關資料，做個筆記 …

備註：

1.請事先安裝 URL Rewrite。

2.編輯 web.config ，根據不同的項目，其對應到的是：HTTP 回應標頭、URL Rewrite、要求篩選

---

---

---

---

<!–僅供參考，如遇到問題恕不負責，建議尋找專業人士協助處理–>

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
     <system.webServer>
     <rewrite>
     <rules>    
         <!-- HTTP 自動轉到 HTTPS -->
         <rule name="http rediect to https" enabled="true" stopProcessing="true">
         <match url="(.*)" />
         <conditions>
             <add input="{HTTPS}" pattern="off" ignoreCase="true" />
         </conditions>
             <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
         </rule>
     </rules>

    <outboundRules>
         <!-- 強制啟用 HSTS -->
         <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
         <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
         <conditions>
             <add input="{HTTPS}" pattern="on" ignoreCase="true" />
         </conditions>
             <action type="Rewrite" value="max-age=31536000" />
         </rule>
     </outboundRules>

    </rewrite>

    <httpProtocol>
     <customHeaders>
         <add name="Content-Security-Policy" value="value="default-src 'self' data:; img-src 'self' data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google-analytics.com;" />

        <!-- HSTS -->
         <add name="Strict-Transport-Security" value="max-age=31536000" />

        <!-- anti Clickjacking -->
         <add name="X-Content-Type-Options" value="nosniff" />

        <!-- Anti-Clickjacking -->
         <add name="X-Frame-Options" value="SAMEORIGIN" />

        <!-- Set Referrer to Origin -->
         <add name="Referrer-Policy" value="No-referrer-when-downgrade" />

        <!-- Anti-XSS for IE -->
          <add name="X-Xss-Protection" value="1; mode=block" />

        <add name="Permissions-Policy" value="fullscreen=()" />

        <!-- Hide IIS Information -->
         <remove name="X-Powered-By" />
         <remove name="Server" />
         <remove name="X-AspNetMvc-Version" />
     </customHeaders>
     </httpProtocol>

    <security>
         <requestFiltering>
         <filteringRules>
             <!-- Anti - SQL Injection -->
             <filteringRule name="SQLInjection" scanUrl="false" scanQueryString="true">
         <appliesTo>
         <clear />
         <add fileExtension=".asp" />
         <add fileExtension=".aspx" />
         <add fileExtension=".ashx" />
         </appliesTo>
         <denyStrings>
         <clear />
         <add string="--" />
         <add string=";" />
         <add string="/*" />
         <add string="@" />
         <add string="char" />
         <add string="alter" />
         <add string="begin" />
         <add string="cast" />
         <add string="create" />
         <add string="cursor" />
         <add string="declare" />
         <add string="delete" />
         <add string="drop" />
         <add string="end" />
         <add string="exec" />
         <add string="fetch" />
         <add string="insert" />
         <add string="kill" />
         <add string="open" />
         <add string="select" />
         <add string="sys" />
         <add string="table" />
         <add string="update" />
         </denyStrings>
         </filteringRule>
         </filteringRules>
         </requestFiltering>
     </security>
     </system.webServer>
</configuration>

資料來源：

1.Content Security Policy for IIS

2.在 IIS 設定 HSTS 標頭

3.ASP.NET Security Headers

4.X-Frame-Options 回應標頭

5.ASP.NET Web.config & Http Headers 安全設定大全 (Guide to Secure your Web application by web.config configuration)

6.How to prevent SQL Injection attacks by the Request Filtering?

7.Windows Server 2008 R2]如何在IIS7.5下設定HTTP Strict Transport Security