OWASP Top Ten to Secure SharePoint Public Site (Part 4)

At this point, I believe that you have fully configured reverse proxy for SharePoint portal. Your portal is now behind an application firewall the IIS ARR. Since all traffic now is back and fort to through reverse proxy, now we have freedom to modify the response from SharePoint before it arrives to the client browser. The next step is to clean-up the response header. You can remove Origin-By and add SAMEORIGIN restriction in response header by modifying web.config in reverse proxy like this: https://gist.github.com/cakriwut/9dbf880b2dd04ec894e2667354c02084 Some of response header related to SharePoint must be removed using http module. You can add http module processor in reverse proxy by modifying web.config like this: https://gist.github.com/cakriwut/6c6bff586e9f03a25911ec99175bc76a We will see in part 5, how to remove X-SharePointhealth, SPRequestGuid etc from the response header.