-
-
Save The-Scott/39601cd73eb8e368aefd3917ac1fa681 to your computer and use it in GitHub Desktop.
The Draconian WebConfig
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<configuration> | |
<system.webServer> | |
<httpProtocol> | |
<customHeaders> | |
<!-- Remove the X-Powered-By header --> | |
<remove name="X-Powered-By" /> | |
<!-- Add the HTTP Strict Transport Security (HSTS) header to enforce HTTPS 31536000--> | |
<add name="Strict-Transport-Security" value="max-age=31536000"/> | |
<!-- X-Frame-Options prevents framing in another site (Clickjacking / UI Redressing attacks) --> | |
<!-- SAMEORIGIN required to retrieve token from Graph API --> | |
<add name="X-Frame-Options" value="DENY" /> | |
<!-- X-XSS-Protection protection header blocks all requests that contain XSS attacks --> | |
<add name="X-XSS-Protection" value="1; mode=block" /> | |
<!-- X-Content-Type-Options header prevents MIME sniffing--> | |
<add name="X-Content-Type-Options" value="nosniff" /> | |
<!-- Content Security Policy (CPS) header sets a whitelist of sources for loading scripts, styles etc --> | |
<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'; img-src 'self'; font-src 'self'; style-src 'self'; connect-src https:"/> | |
<!-- Feature Policy, for limiting access to Mobile Device Actions, like Vibrate or Notification --> | |
<add name="Feature-Policy" value="accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vr 'none';"/> | |
<!-- Referrer Policy, for controlling how and when the browser sends the 'Referrer: URL' request header --> | |
<add name="Referrer-Policy" value="none"/> | |
</customHeaders> | |
</httpProtocol> | |
<security> | |
<!--- Remove the Server: IIS 10 Header --> | |
<requestFiltering removeServerHeader="true"> | |
<!-- Also DENY with 406:Verb Denied for anything but GET for the web-app --> | |
<verbs> | |
<add verb="PUT" allowed="false" /> | |
<add verb="HEAD" allowed="false" /> | |
<add verb="POST" allowed="false" /> | |
<add verb="DELETE" allowed="false" /> | |
<add verb="CONNECT" allowed="false" /> | |
<add verb="TRACE" allowed="false" /> | |
<add verb="PATCH" allowed="false" /> | |
</verbs> | |
</requestFiltering> | |
</security> | |
</system.webServer> | |
</configuration> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment