-
-
Save The-Scott/5418def8881d293476292f09b3e3bdb2 to your computer and use it in GitHub Desktop.
The Bare Minimum Web.Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <configuration> | |
| <system.webServer> | |
| <httpProtocol> | |
| <customHeaders> | |
| <!-- Remove the X-Powered-By header --> | |
| <remove name="X-Powered-By" /> | |
| <!-- Add the HTTP Strict Transport Security (HSTS) header to enforce HTTPS 31536000--> | |
| <add name="Strict-Transport-Security" value="max-age=31536000"/> | |
| <!-- X-Frame-Options prevents framing in another site (Clickjacking / UI Redressing attacks) --> | |
| <!-- SAMEORIGIN required to retrieve token from Graph API --> | |
| <add name="X-Frame-Options" value="SAMEORIGIN" /> | |
| <!-- X-XSS-Protection protection header blocks all requests that contain XSS attacks --> | |
| <add name="X-XSS-Protection" value="1; mode=block" /> | |
| <!-- X-Content-Type-Options header prevents MIME sniffing--> | |
| <add name="X-Content-Type-Options" value="nosniff" /> | |
| <!-- Content Security Policy (CPS) header sets a whitelist of sources for loading scripts, styles etc --> | |
| <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'; img-src 'self' ; font-src 'self' ; style-src 'self''; connect-src https:"/> | |
| <!-- Feature Policy, for limiting access to Mobile Device Actions. Use all Defaults --> | |
| <add name="Feature-Policy" value=""/> | |
| <!-- Referrer Policy, for controlling how and when the browser sends the 'Referrer: URL' request header --> | |
| <add nome="Referrer-Policy" value="strict-origin"> | |
| </customHeaders> | |
| </httpProtocol> | |
| <security> | |
| <!--- Remove the Server: IIS 10 Header --> | |
| <requestFiltering removeServerHeader="true"/> | |
| </security> | |
| </system.webServer> | |
| </configuration> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Great config. Here's a bit more updated version:
<configuration> <system.webServer> <httpProtocol> <customHeaders> <!-- Remove the X-Powered-By header --> <remove name="X-Powered-By" /> <!-- Add the HTTP Strict Transport Security (HSTS) header to enforce HTTPS 31536000--> <add name="Strict-Transport-Security" value="max-age=31536000"/> <!-- X-Frame-Options prevents framing in another site (Clickjacking / UI Redressing attacks) --> <add name="X-Frame-Options" value="deny" /> <!-- X-XSS-Protection protection header blocks all requests that contain XSS attacks --> <add name="X-XSS-Protection" value="0" /> <!-- Content Security Policy (CPS) header sets a whitelist of sources for loading scripts, styles etc --> <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'; img-src 'self' ; font-src 'self' ; style-src 'self''; connect-src https:"/> <!-- Referrer Policy, for controlling how and when the browser sends the 'Referrer: URL' request header --> <add name="Referrer-Policy" value="strict-origin" /> <!-- X-Content-Type-Options header prevents MIME sniffing--> <add name="X-Content-Type-Options" value="nosniff" /> <!-- Permission-Policy, for limiting access to Mobile Device Actions, like Vibrate or Notification --> <add name="Permissions-Policy" value="accelerometer=(self), ambient-light-sensor=(self), autoplay=(self), camera=(self), encrypted-media=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=()"/> </customHeaders> </httpProtocol> <security> <!--- Remove the Server: IIS 10 Header --> <requestFiltering removeServerHeader="true"/> </security> </system.webServer> </configuration>