The-Scott/draconian-web.config Secret

## draconian-web.config
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <!-- Remove the X-Powered-By header -->
        <remove name="X-Powered-By" />
        <!-- Add the HTTP Strict Transport Security (HSTS) header to enforce HTTPS 31536000-->
        <add name="Strict-Transport-Security" value="max-age=31536000"/>
        <!-- X-Frame-Options prevents framing in another site (Clickjacking / UI Redressing attacks) -->
        <!-- SAMEORIGIN required to retrieve token from Graph API -->
        <add name="X-Frame-Options" value="DENY" />
        <!-- X-XSS-Protection protection header blocks all requests that contain XSS attacks -->
        <add name="X-XSS-Protection" value="1; mode=block" />
        <!-- X-Content-Type-Options header prevents MIME sniffing-->
        <add name="X-Content-Type-Options" value="nosniff" />
        <!-- Content Security Policy (CPS) header sets a whitelist of sources for loading scripts, styles etc -->
        <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'; img-src 'self'; font-src 'self'; style-src 'self'; connect-src https:"/>
        <!-- Feature Policy, for limiting access to Mobile Device Actions, like Vibrate or Notification -->
        <add name="Feature-Policy" value="accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vr 'none';"/>
        <!-- Referrer Policy, for controlling how and when the browser sends the 'Referrer: URL' request header -->
        <add name="Referrer-Policy" value="none"/>
      </customHeaders>
    </httpProtocol>
    <security>
      <!--- Remove the Server: IIS 10 Header -->
      <requestFiltering removeServerHeader="true">
      <!-- Also DENY with 406:Verb Denied for anything but GET for the web-app -->
      <verbs>
        <add verb="PUT" allowed="false" />
        <add verb="HEAD" allowed="false" />
        <add verb="POST" allowed="false" />
        <add verb="DELETE" allowed="false" />
        <add verb="CONNECT" allowed="false" />
        <add verb="TRACE" allowed="false" />
        <add verb="PATCH" allowed="false" />
      </verbs>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>
	<configuration>
	<system.webServer>
	<httpProtocol>
	<customHeaders>
	<!-- Remove the X-Powered-By header -->
	<remove name="X-Powered-By" />
	<!-- Add the HTTP Strict Transport Security (HSTS) header to enforce HTTPS 31536000-->
	<add name="Strict-Transport-Security" value="max-age=31536000"/>
	<!-- X-Frame-Options prevents framing in another site (Clickjacking / UI Redressing attacks) -->
	<!-- SAMEORIGIN required to retrieve token from Graph API -->
	<add name="X-Frame-Options" value="DENY" />
	<!-- X-XSS-Protection protection header blocks all requests that contain XSS attacks -->
	<add name="X-XSS-Protection" value="1; mode=block" />
	<!-- X-Content-Type-Options header prevents MIME sniffing-->
	<add name="X-Content-Type-Options" value="nosniff" />
	<!-- Content Security Policy (CPS) header sets a whitelist of sources for loading scripts, styles etc -->
	<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'; img-src 'self'; font-src 'self'; style-src 'self'; connect-src https:"/>
	<!-- Feature Policy, for limiting access to Mobile Device Actions, like Vibrate or Notification -->
	<add name="Feature-Policy" value="accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vr 'none';"/>
	<!-- Referrer Policy, for controlling how and when the browser sends the 'Referrer: URL' request header -->
	<add name="Referrer-Policy" value="none"/>
	</customHeaders>
	</httpProtocol>
	<security>
	<!--- Remove the Server: IIS 10 Header -->
	<requestFiltering removeServerHeader="true">
	<!-- Also DENY with 406:Verb Denied for anything but GET for the web-app -->
	<verbs>
	<add verb="PUT" allowed="false" />
	<add verb="HEAD" allowed="false" />
	<add verb="POST" allowed="false" />
	<add verb="DELETE" allowed="false" />
	<add verb="CONNECT" allowed="false" />
	<add verb="TRACE" allowed="false" />
	<add verb="PATCH" allowed="false" />
	</verbs>
	</requestFiltering>
	</security>
	</system.webServer>
	</configuration>