Blog

Commonly Flagged PCI DSS HTTP Response Headers

July 20, 2020

Below are some common PCI DSS flagged HTTP response headers and how to easily fix them using IIS and the URL Rewrite module.

  • Server Response Header
    This header discloses information about your web server software and version.
    Example: Microsoft-IIS/10.0
    Action: REMOVE
    URL Rewrite Rule:

    <configuration>
         <system.webServer>
              <rewrite>
                   <outboundRules rewriteBeforeCache="true">
                        <rule name="Remove Server header">
                             <match serverVariable="RESPONSE_Server" pattern=".+" />
                             <action type="Rewrite" value="" />
                        </rule>
                   </outboundRules>
              </rewrite>
         </system.webServer>
    </configuration>
    
  • X-Powered-By Response Header
    Discloses information about the web application platform.
    Example: PHP/7.3.1
    Action: REMOVE
    URL Rewrite Rule:

    <configuration>
         <system.webServer>
              <rewrite>
                   <outboundRules rewriteBeforeCache="true">
                        <rule name="Remove X-Powered-By">
                             <match serverVariable="RESPONSE_X-POWERED-BY" pattern=".+" />
                             <action type="Rewrite" value="" />
                        </rule>
                   </outboundRules>
              </rewrite>
         </system.webServer>
    </configuration>
    
  • X-Frame-Options Response Header
    Indicate whether or not a browser should be allowed to render a page within an frame element
    Action: ADD
    Custom Response Header

    <configuration>
         <system.webServer>
              <httpProtocol>
                   <customHeaders>
                        <add name="X-Frame-Options" value="SAMEORIGIN" />
                   </customHeaders>
              </httpProtocol>
         </system.webServer>
    </configuration>
    
  • X-XSS-Protection Response Header
    Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks
    Action: ADD
    Custom Response Header

    <configuration>
         <system.webServer>
              <httpProtocol>
                   <customHeaders>
                        <add name="X-XSS-Protection" value="1; mode=block" />
                   </customHeaders>
              </httpProtocol>
         </system.webServer>
    </configuration>
    
  • X-Content-Type-Options Response Header
    Indicates the MIME types are deliberately configured and should be strictly followed
    Action: ADD
    Custom Response Header

    <configuration>
         <system.webServer>
              <httpProtocol>
                   <customHeaders>
                        <add name="X-Content-Type-Options" value="nosniff" />
                   </customHeaders>
              </httpProtocol>
         </system.webServer>
    </configuration>
    

NOTE: The options above have different allowable values. The values provided are the most common or defaults. Choose the values that best meet your requirements.

0 Comments

Leave Your Comment

Your email address will not be published. Required fields are marked *


about me

An information technology professional with twenty five years experience in systems administration, computer programming, requirements gathering, customer service, and technical support.