Blog

Commonly Flagged PCI DSS HTTP Response Headers

July 20, 2020

Below are some common PCI DSS flagged HTTP response headers and how to easily fix them using IIS and the URL Rewrite module.

  • Server Response Header
    This header discloses information about your web server software and version.
    Example: Microsoft-IIS/10.0
    Action: REMOVE
    URL Rewrite Rule:

    <configuration>
     <system.webServer>
          <rewrite>
               <outboundRules rewriteBeforeCache="true">
                    <rule name="Remove Server header">
                         <match serverVariable="RESPONSE_Server" pattern=".+" />
                         <action type="Rewrite" value="" />
                    </rule>
               </outboundRules>
          </rewrite>
     </system.webServer>
</configuration>
  • X-Powered-By Response Header
    Discloses information about the web application platform.
    Example: PHP/7.3.1
    Action: REMOVE
    URL Rewrite Rule:

    <configuration>
     <system.webServer>
          <rewrite>
               <outboundRules rewriteBeforeCache="true">
                    <rule name="Remove X-Powered-By">
                         <match serverVariable="RESPONSE_X-POWERED-BY" pattern=".+" />
                         <action type="Rewrite" value="" />
                    </rule>
               </outboundRules>
          </rewrite>
     </system.webServer>
</configuration>
  • X-Frame-Options Response Header
    Indicate whether or not a browser should be allowed to render a page within an frame element
    Action: ADD
    Custom Response Header

    <configuration>
     <system.webServer>
          <httpProtocol>
               <customHeaders>
                    <add name="X-Frame-Options" value="SAMEORIGIN" />
               </customHeaders>
          </httpProtocol>
     </system.webServer>
</configuration>
  • X-XSS-Protection Response Header
    Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks
    Action: ADD
    Custom Response Header

    <configuration>
     <system.webServer>
          <httpProtocol>
               <customHeaders>
                    <add name="X-XSS-Protection" value="1; mode=block" />
               </customHeaders>
          </httpProtocol>
     </system.webServer>
</configuration>
  • X-Content-Type-Options Response Header
    Indicates the MIME types are deliberately configured and should be strictly followed
    Action: ADD
    Custom Response Header

    <configuration>
     <system.webServer>
          <httpProtocol>
               <customHeaders>
                    <add name="X-Content-Type-Options" value="nosniff" />
               </customHeaders>
          </httpProtocol>
     </system.webServer>
</configuration>

NOTE: The options above have different allowable values. The values provided are the most common or defaults. Choose the values that best meet your requirements.

0 Comments

Leave Your Comment

Your email address will not be published. Required fields are marked *


Recent Posts

Large File Uploads with ColdFusion
February 28, 2024
Microsoft Graph Error ResourceUnhealthy
November 2, 2023
<cfhtmltopdf> broken in ColdFusion 2023
October 25, 2023
Send O365 email using ColdFusion and Microsoft Graph
October 24, 2023
Accessing Oracle NetSuite REST API using PowerShell
September 13, 2023

about me

An information technology professional with twenty four years experience in systems administration, computer programming, requirements gathering, customer service, and technical support.