在 IIS 中增加相关安全 HTTP 头信息配置

<?xml version=”1.0″ encoding=”UTF-8″?>

<configuration>

<system.webServer>

<!– 增加为了安全的 HTTP 头信息 –>

<httpProtocol>

<customHeaders>

<remove name=”X-Powered-By” />

<add name=”Content-Security-Policy” value=”frame-ancestors ‘self’; default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ blob: data:” />

<add name=”X-Frame-Options” value=”SAMEORIGIN” />

<add name=”X-XSS-Protection” value=”1″ />

<add name=”X-Content-Type-Options” value=”nosniff” />

<add name=”X-Permitted-Cross-Domain-Policies” value=”master-only” />

<add name=”X-Download-Options” value=”noopen” />

<add name=”Referrer-Policy” value=”origin-when-cross-origin” />

</customHeaders>

</httpProtocol>

</system.webServer>

</configuration>