New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

​Security headers & DNN

Return to previous page

  • 9/26/2018



​Security headers & DNN

Last updated 5 years ago



(Enter the content of this article below)




In our battle against hackers we have a lot of work these days. And as with most topics: perfection is a lot of simple things done right.

We have instructed our customers to use complex passwords, we got a firewall, login using SSL and added a content security policy (CSP). Another topic are security headers.

Like CSP the security headers are aiming to restrict HTTP response headers from running into easily preventable vulnerabilities. The project can be found here:

A pretty good place for more info on security headers can be found on

Ok, I want this. Now what do I put where?

In the web.config in the customHeaders section.
In the example below, you might want to remove the content security policy as this is a seperate topic.

* As always: backup your web.config for easy roll back as 1 mistake can break image galeries, other script, iframed content or even take down your website! *

Example of code



<add name="X-XSS-Protection" value="1; mode=block" />

<add name="X-Content-Type-Options" value="nosniff" />

<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />

<add name="Content-Security-Policy" value="default-src * ;" />

<remove name="X-Powered-By" />

<remove name="X-AspNet-Version" />

<remove name="X-AspNet-Version" />

<remove name="X-AspNetMvc-Version" />

<remove name="Vary">


<add name="Vary" value="Accept-Encoding">


<add name="Referrer-Policy" value="no-referrer-when-downgrade" />



How do I know if I did it right?

You can check your website on

NOTE: Check ‘hide results’ to prevent others from gaining information about your vulnerable website.

Are there any reasons not to use this?

First of all, if you include a csp, you might want to check Only modern browsers can cope.

Furthermore, it has been my experience that the <add name="X-Content-Type-Options" value="nosniff" /> tag caused issues in IE 11 on a product list where the images where handled by an imagehandler (resizer). The tag prevented IE11 to understand that the images were actually images which made the browser want to interpret the images as HTML.

So, it is up to you whether you want to include this tag or – if necessary - wait a bit until IE has a usage that is below a threshold that you find acceptable.

What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out