In order to make web applications more secure, we must secure the HTTP headers that are communicated back and forth for exchanging additional information between the communicating devices which are mostly client and server.
Let's us see the different header options which their definition and possible value that can make them secure while in transmission through the channel.
Disallow framing of other domains (X-Frame-Options) - This HTTP response header is used to control whether or not a browser should be able to render a page inside an <iframe> element. If a website is not determined to share its content in an embedded form in other sites, then it should be set with the "DENY" value. Preventing sharing your site in this way also also secure your users from clickjacking attacks.
In Web.config file, you can set this HTTP header as follows:
Prevent reflected cross site scripting (X-Xss-Protection) - This HTTP response header stops the page from loading on detecting reflected cross-site scripting attacks. In other words, we can say that it enables cross site scripting filtering.
This header can be added in Web.config as follows:
Here value="1; mode=block means instead of sanitizing the page experiencing the cross-site scripting attack, it will prevent rendering of the page.
Disable guessing MIME type by inspecting the content (X-Content-Type-Options) - Enabling this HTTP response header to "nosniff" value, restrict the browser from guessing the file type by inspecting the content rather the file will be treated of the type defined in Content-Type headers. This feature also makes it tough for hackers to get idea of the content mime type by inspecting the content.
Disable Flash from making cross-origin requests (X-Permitted-Cross-Domain-Policies) - If we are not willing to allow Flash content producers to embed your content in their products and you want to disable Flash components from making cross-origin requests, then set this header to "none" in the Web.config file as shown below.
Keep communication channel secured using HTTPS (Strict-Transport-Security) - This HTTP response header when used, enable the website to be accessed using HTTPS and not HTTP. When using HTTPS (Hypertext Transfer Protocol Secure) for data transmission, if the hacker gets access to the data even in such case h/she wouldn't be able to understand it due to the encryption applied to the information. Only sender and recipients who knows the code to decipher the message can read the information easily.
Here max-age defines time in seconds which tells browser to use this setting for 1 year (equals to 31536000 seconds) and includeSubDomains which is an optional parameter, when specified apply this rule to site's subdomain as well.
Don't share referrer details with other sites (Referrer-Policy) - If it is not required to share the referrer information to the linked websites which might be accessed through the links within your site, then its better to remove the referrer details entirely. It further prevents from exposing sensitive details in the URLs.
The same can be applied using Web.config in the following way.