網路上,已有許多大神針對IIS做了許多強化安全性的教學,
只因小弟學疏才淺,所以匯整一下網路上相關資料,做個筆記 …
備註:
1.請事先安裝 URL Rewrite。
2.編輯 web.config ,根據不同的項目,其對應到的是:HTTP 回應標頭、URL Rewrite、要求篩選
<!–僅供參考,如遇到問題恕不負責,建議尋找專業人士協助處理–>
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<!-- HTTP 自動轉到 HTTPS -->
<rule name="http rediect to https" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
<outboundRules>
<!-- 強制啟用 HSTS -->
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="value="default-src 'self' data:; img-src 'self' data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google-analytics.com;" />
<!-- HSTS -->
<add name="Strict-Transport-Security" value="max-age=31536000" />
<!-- anti Clickjacking --> <add name="X-Content-Type-Options" value="nosniff" />
<!-- Anti-Clickjacking -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Set Referrer to Origin -->
<add name="Referrer-Policy" value="No-referrer-when-downgrade" />
<!-- Anti-XSS for IE -->
<add name="X-Xss-Protection" value="1; mode=block" />
<add name="Permissions-Policy" value="fullscreen=()" />
<!-- Hide IIS Information -->
<remove name="X-Powered-By" />
<remove name="Server" />
<remove name="X-AspNetMvc-Version" />
</customHeaders>
</httpProtocol>
<security>
<requestFiltering>
<filteringRules>
<!-- Anti - SQL Injection -->
<filteringRule name="SQLInjection" scanUrl="false" scanQueryString="true">
<appliesTo>
<clear />
<add fileExtension=".asp" />
<add fileExtension=".aspx" />
<add fileExtension=".ashx" />
</appliesTo>
<denyStrings>
<clear />
<add string="--" />
<add string=";" />
<add string="/*" />
<add string="@" />
<add string="char" />
<add string="alter" />
<add string="begin" />
<add string="cast" />
<add string="create" />
<add string="cursor" />
<add string="declare" />
<add string="delete" />
<add string="drop" />
<add string="end" />
<add string="exec" />
<add string="fetch" />
<add string="insert" />
<add string="kill" />
<add string="open" />
<add string="select" />
<add string="sys" />
<add string="table" />
<add string="update" />
</denyStrings>
</filteringRule>
</filteringRules>
</requestFiltering>
</security>
</system.webServer>
</configuration>
資料來源:
1.Content Security Policy for IIS
6.How to prevent SQL Injection attacks by the Request Filtering?
7.Windows Server 2008 R2]如何在IIS7.5下設定HTTP Strict Transport Security