Last active
May 11, 2022 16:51
-
-
Save EmpeRoar/c596f13435683ae860b86089ea6de51a to your computer and use it in GitHub Desktop.
custom headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ``` | |
| <httpProtocol> | |
| <customHeaders> | |
| <remove name="X-Powered-By" /> | |
| <!-- SECURITY HEADERS - https://securityheaders.io/? --> | |
| <!-- Protects against Clickjacking attacks. ref.: http://stackoverflow.com/a/22105445/1233379 --> | |
| <add name="X-Frame-Options" value="SAMEORIGIN" /> | |
| <!-- Protects against Clickjacking attacks. ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet --> | |
| <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/> | |
| <!-- Protects against XSS injections. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ --> | |
| <!-- <add name="X-XSS-Protection" value="1; mode=block" /> --> | |
| <add name="X-XSS-Protection" value="0" /> | |
| <!-- Protects against MIME-type confusion attack. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ --> | |
| <add name="X-Content-Type-Options" value="nosniff" /> | |
| <!-- CSP modern XSS directive-based defence, used since 2014. ref.: http://content-security-policy.com/ --> | |
| <add name="Content-Security-Policy" value="default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;" /> | |
| <!-- Prevents from leaking referrer data over insecure connections. ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ --> | |
| <!-- <add name="Referrer-Policy" value="strict-origin" /> --> | |
| <add name="Referrer-Policy" value="strict-origin-when-cross-origin" /> | |
| </customHeaders> | |
| </httpProtocol> | |
| ``` | |
| ``` | |
| <httpProtocol> | |
| <customHeaders> | |
| <add name="X-XSS-Protection" value="0"> | |
| <add name="X-Content-Type-Options" value="nosniff"> | |
| <add name="Content-Security-Policy" value="default-src 'self'"> | |
| <add name="Referrer-Policy" value="string-origin-when-cross-origin"> | |
| </customHeaders> | |
| </httpProtocol> | |
| ``` | |
| ``` | |
| <?xml version="1.0" encoding="utf-8"?> | |
| <configuration> | |
| <system.webServer> | |
| <rewrite> | |
| <rules> | |
| <rule name="Angular Routes" stopProcessing="true"> | |
| <match url=".*" /> | |
| <conditions logicalGrouping="MatchAll"> | |
| <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" /> | |
| <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" /> | |
| </conditions> | |
| <action type="Rewrite" url="./index.html" /> | |
| </rule> | |
| </rules> | |
| </rewrite> | |
| <httpProtocol> | |
| <customHeaders> | |
| <add name="X-XSS-Protection" value="0" /> | |
| <add name="X-Content-Type-Options" value="nosniff" /> | |
| <add name="Content-Security-Policy" value="default-src 'self'; connect-src http://localhost:8031 http://localhost:8032" /> | |
| <add name="Referrer-Policy" value="strict-origin-when-cross-origin" /> | |
| </customHeaders> | |
| </httpProtocol> | |
| </system.webServer> | |
| </configuration> | |
| ``` | |
| ### x | |
| ``` | |
| <?xml version="1.0" encoding="utf-8"?> | |
| <configuration> | |
| <system.webServer> | |
| <rewrite> | |
| <rules> | |
| <rule name="Angular Routes" stopProcessing="true"> | |
| <match url=".*" /> | |
| <conditions logicalGrouping="MatchAll"> | |
| <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" /> | |
| <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" /> | |
| </conditions> | |
| <action type="Rewrite" url="./index.html" /> | |
| </rule> | |
| </rules> | |
| </rewrite> | |
| <httpProtocol> | |
| <customHeaders> | |
| <add name="X-XSS-Protection" value="0" /> | |
| <add name="X-Content-Type-Options" value="nosniff" /> | |
| <add name="Content-Security-Policy" | |
| value="default-src 'self'; | |
| style-src 'self' 'unsafe-hashes' 'sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA='; | |
| script-src 'self' 'unsafe-hashes' 'sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA='; | |
| media-src *; | |
| connect-src http://192.168.1.19:8051; | |
| frame-src https://auth0federationexercise.auth0.com/" /> | |
| <add name="Referrer-Policy" value="string-origin-when-cross-origin" /> | |
| </customHeaders> | |
| </httpProtocol> | |
| </system.webServer> | |
| </configuration> | |
| ``` | |
| ``` | |
| <httpProtocol> | |
| <customHeaders> | |
| <add name="X-XSS-Protection" value="0" /> | |
| <add name="X-Content-Type-Options" value="nosniff" /> | |
| <add name="Content-Security-Policy" | |
| value="default-src 'self' 'unsafe-inline'; | |
| connect-src ::ip-here ::ip-here ::ip-here; | |
| frame-src ::ip-here/; | |
| img-src *" /> | |
| <add name="Referrer-Policy" value="string-origin-when-cross-origin" /> | |
| </customHeaders> | |
| </httpProtocol> | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment