Adding HTTP Headers to Increase IIS Security

We get asked about why doesn't TechDoc have this HTTP header or that HTTP header; most often due to a security scan that was run against a server where TechDoc is running. Depending on the Security tool used at your site, you may get a whole host of potential vulnerabilities displayed. We've seen tons of them come and go. Most of these only work on specific browsers that support them. If the user's browser honors the header then it helps, otherwise it doesn't do anything. But that being said, security is an extremely important matter and anything you can do to potentially help even a subset of your users is better than not doing anything…

If you decide you want a new HTTP header for security or some other reason, we suggest that you add the header to IIS. Since TechDoc runs under IIS, TechDoc and any other content requests from the server will receive the header. Remember that some content installed by TechDoc is static content (HTML files, etc.) so the only way to reliably add headers to everything is at the web server level.

To add a new HTTP header, run IIS Manager, click on your server in the left panel, and double click on HTTP Response Headers in the middle panel as shown below:

Once the HTTP Response Headers dialog displays, click Add… under Actions. Fill in the name and value of the header and click OK. Repeat if necessary to add more than one header.

So why doesn't TechDoc just add all these headers to TechDoc...

  • There have been a lot of them suggested over time but like every best practice, they usually come at a cost. For your environment, you may not want to limit your users with the restriction(s) that a particular header places on them. The safest server is one that is unplugged but it's not very useful either!
  • Many headers require local decisions on how to set them. For example, some cross site scripting headers require you to determine which domains/subdomains are allowed access. DocuBrain can't possible know that answer for your environment.
  • Each added header takes up bandwidth and processing; not a lot but it does add up. We've seen a customer server that routinely returned HTTP responses where the headers were much larger than the content being returned.

Please keep in mind that some headers may break TechDoc functionality. We always suggest trying new headers in a test environment or during an outage. Try various TechDoc commands including creating and retrieving a new document. When in doubt about a new header or a new value, ask us. We'll be glad to help.

Product Type: