after a pentest, they found that
The web server does not provide the Content-Security-Policy header on HTTP responses with status code belonging to the 4xx class and on HTTP responses with status codes belonging to the 3xx class for subpaths of the following URLs:
For the 4xx i had create a custom page and set IIS to use it in case, but for the 3xx i dont know how to use the url rewrite, i look on SO and on web but not found a working solution, someone can help me giving an example? Thanks in advance
Mentioned in doc: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status#redirection_messages , the 3xx response you mentioned belongs to the redirect message status.
but for the 3xx i dont know how to use the url rewrite, i look on SO and on web but not found a working solution
Because usually we don't need to deal with this status, because strictly speaking it is not a failed request. Although it does not directly return the correct result, it completes part of it.
For example, when client requests a page, the server returns 301 Moved Permanently, and eventually the client is redirected to another page based on the Location address in the response header, with a response status of 200 OK.
In this process, this 301 response is more of a transitional state than a final state, so I think you don't have to deal with it unless you have a special need.