/
Technical instruction - Add http response header on IIS

Technical instruction - Add http response header on IIS

  1. Run IIS and click on default website. On right hand site double click to http response header.

  1. Click add to add a http header.

  1. add the name in the name field and add value in the value filed.

    <add name="X-Frame-Options" value="SAMEORIGIN" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="Referrer-Policy" value="no-referrer-when-downgrade" /> <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" /> <add name="Permissions-Policy" value="geolocation=(*)" /> <add name="Cross-Origin-Embedder-Policy" value="require-corp" /> <add name="Cross-Origin-Opener-Policy" value="same-origin" /> IF customer has strict policy: <add name"Content-Security-Policy" value"default-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self' https://www.googletagmanager.com https://www.google-analytics.com https://*.adyen.com; style-src 'self' https://*.adyen.com;" /> IF customer does not have strict policy: <add name"Content-Security-Policy" value" default-src *; font-src 'self' 'unsafe-inline';img-src * data:; script-src 'self' https://www.googletagmanager.com https://www.google-analytics.com https://*.adyen.com 'unsafe-inline' ; style-src 'self' https://*.adyen.com 'unsafe-inline';" />

Depending on version the same headers may exist in AssertWeb\web.config.
Settings must then be removed from this lower level web.config for system to start.

Example:

(For even stricter IIS settings remove X-Powered-By field from the response headers to not expose server details, see below for instructions)

  1. Save and restart IIS. Remember to comment out any header set in AssertWeb\web.config.

Remove the server header information

1. Remove the server header

  1. Open IIS Manager.

  2. Select the server node in the Connections pane.

  3. Double-click Configuration Editor.

    bild-20250401-144921.png

  4. In the Section dropdown, select: system.webServer/security/requestFiltering.

    bild-20250401-145140.png

  5. Set removeServerHeader to True.

    bild-20250401-145527.png

  6. Click Apply and restart IIS.

2. Remove the X-AspNet-Version Header

  • Using IIS Manager:

    1. Open IIS Manager.

    2. Select the site or application.

    3. Double-click Configuration Editor.

    4. In the Section dropdown, select: system.web/httpRuntime.

      bild-20250401-145313.png

    5. Set enableVersionHeader to False.

      bild-20250401-145407.png

    6. Click Apply and restart IIS.

4. Remove the X-Powered-By Header

  • Using IIS Manager:

    1. Open Configuration Editor.

    2. In the Section dropdown, select: system.webServer/httpProtocol/customHeaders.

      bild-20250401-145919.png

    3. If the rule already exist: click on the customeheaders:

      bild-20250401-150028.png
      bild-20250401-150217.png

       

      1. remove the current value and leave it empty:

        bild-20250401-150252.png

    4. If the rule does not exist: Add a rule to remove the header:

      • Name: X-Powered-By

      • Value: Leave empty

    5. Click Apply and restart IIS.