To check the IIS security headers on a site you can use this tool to scan the address
Scan results for google.com (securityheaders.com)
We found that we were getting lower grades because the Content-Security-Policy (CSP) wasn’t set as per below:
Application Security Medium severity
Content Security Policy (CSP) Missing
5.0score impact
DESCRIPTION
The Content Security Policy provides a valuable safety net that protects your website from malicious cross-site scripting (XSS) attacks. A well configured policy will stop an attacker attempting to inject their code, or references to other malicious content, into your website. Without a Content Security Policy, it’s easy for website developers to make mistakes that allow an attacker to inject content that changes the way the website behaves.
RISK
A Content Security Policy (CSP) directive tells a web browser what locations it can load resources from when rendering a webpage. This helps prevent mistaken or malicious resources from being injected into a webpage (and then executed by a user’s browser).
RECOMMENDATION
Enable CSP headers via your webserver configuration.
REFERENCES
https://serverfault.com/questions/932273/content-security-policy-for-exchange-2016
https://scotthelme.co.uk/hardening-your-http-response-headers/
To fix this,
For Exchange 2016
In IIS Manager open the HTTP Response Headers
Under Actions in the top right click ADD
Add the following
Name: Content-Security-Policy
Value: default-src ‘self’ https://*.microsoft.com https://*.sharepointonline.com data: ‘unsafe-inline’; script-src ‘self’ https://*.microsoft.com https://*.sharepointonline.com ‘unsafe-inline’ ‘unsafe-eval’; img-src data: https:;
For a Regular Web Server
The same as above but with a different Value:
Name: Content-Security-Policy
Value: default-src ‘self’
