OWASP Top Ten to Secure SharePoint Public Site (Part 4)

At this point, I believe that you have fully configured reverse proxy for SharePoint portal. Your portal is now behind an application firewall the IIS ARR. Since all traffic now is back and fort to through reverse proxy, now we have freedom to modify the response from SharePoint before it arrives to the client browser.

The next step is to clean-up the response header. You can remove Origin-By and add SAMEORIGIN restriction in response header by modifying web.config in reverse proxy like this:

Some of response header related to SharePoint must be removed using http module. You can add http module processor in reverse proxy by modifying web.config like this:

We will see in part 5, how to remove X-SharePointhealth, SPRequestGuid etc from the response header.

Leave a Reply