3.1 How to Implement Additional HTTP Security Headers for WebTrac to improve PCI scans
Default Subject
Table of Contents
Problem
How do I create Additional HTTP Security Headers to improve my PCI scan results?
Solution
This information is available within the standard RT 3.1 LIVE-w.pdf and WebTrac Installation 3.1.pdfs, which include screenshots. That information is abbreviated below:
How to Add HTTP Security Headers Through Microsoft IIS
- Click the Windows Start button l Administrative Tools l Internet Information Services (IIS) Manager.
- In the Connections area, expand server name, and then expand Sites.
- Click on the WebTrac website, which by default is VSI3_WEBTRAC.
- In the VSI3_WebTrac Home area, double-click HTTP Response Headers within the IIS grouping.
- In the Actions area, click Add.
- Enter the custom HTTP header name within the Name field.
- Enter the custom HTTP header value within the Value field.
- Click the OK button.
- Repeat steps 5-8 until all of the needed HTTP Headers have been created.
Example HTTP Security Headers
Below are a standard set of recommended HTTP Security Headers that should be put in place on your WebServer in IIS.
The two headers that are concerning are the X-Content-Type-Options and the Content-Security-Policy headers. HTTP Headers can be embedded in two or three locations.
Name |
Value |
Content-Security-Policy |
default-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://*.googleapis.com https://*.google.com https://*.gstatic.com https://etsemoney.com https://*.etsemoney.com https://*.jsdelivr.net https://*.emoney.com https://*.finixpymnts.com; img-src * 'self' blob: data: ; |
Referrer-Policy |
no-referrer |
Strict-Transport-Security |
max-age=31536000 ; includeSubDomains |
X-Content-Type-Options |
nosniff |
X-Frame-Options |
deny |
X-Permitted-Cross-Domain-Policies |
none |
X-XSS-Protection |
1; mode=block |
Notes:
The X-Content-Type-Options could cause images or JavaScript to stop loading if the mime-type is not set properly on the web server. If you have an image or script on the page that doesn't load it might not be readily apparent that this header change is actually causing the issue.
The Content-Security-Policy has a lot of different options which could cause different content from loading especially if it is from different domains. This could impact those who have content that loads from other domains like images, scripts, styles, fonts, etc that might stop functioning.