The-Scott/gold-standard-web.config Secret

## gold-standard-web.config
Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self'; font-src 'self'; style-src 'self'; connect-src https:"
Feature-Policy "accelerometer 'self'; ambient-light-sensor 'self'; autoplay 'self'; camera 'self'; encrypted-media 'self'; geolocation 'self'; gyroscope 'self'; magnetometer 'self'; microphone 'self'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'"
Referrer-Policy "strict-origin"


<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <!-- Remove the X-Powered-By header -->
        <remove name="X-Powered-By" />
        <!-- Add the HTTP Strict Transport Security (HSTS) header to enforce HTTPS 31536000-->
        <add name="Strict-Transport-Security" value="max-age=31536000"/>
        <!-- X-Frame-Options prevents framing in another site (Clickjacking / UI Redressing attacks) -->
        <!-- SAMEORIGIN required to retrieve token from Graph API -->
        <add name="X-Frame-Options" value="DENY" />
        <!-- X-XSS-Protection protection header blocks all requests that contain XSS attacks -->
        <add name="X-XSS-Protection" value="1; mode=block" />
        <!-- X-Content-Type-Options header prevents MIME sniffing-->
        <add name="X-Content-Type-Options" value="nosniff" />
        <!-- Content Security Policy (CPS) header sets a whitelist of sources for loading scripts, styles etc -->
        <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'; img-src 'self'; font-src 'self'; style-src 'self'; connect-src https:;"/>
        <!-- Feature Policy, for limiting access to Mobile Device Actions, like Vibrate or Notification -->
        <add name="accelerometer 'self'; ambient-light-sensor 'self'; autoplay 'self'; camera 'self'; encrypted-media 'self'; geolocation 'self'; gyroscope 'self'; magnetometer 'self'; microphone 'self'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none';"/>
        <!-- Referrer Policy, for controlling how and when the browser sends the 'Referrer: URL' request header -->
        <add name="Referrer-Policy" value="strict-origin"  />
      </customHeaders>
    </httpProtocol>
    <security>
      <!--- Remove the Server: IIS 10 Header -->
      <requestFiltering removeServerHeader="true"/>
    </security>
  </system.webServer>
</configuration>
	Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self'; font-src 'self'; style-src 'self'; connect-src https:"
	Feature-Policy "accelerometer 'self'; ambient-light-sensor 'self'; autoplay 'self'; camera 'self'; encrypted-media 'self'; geolocation 'self'; gyroscope 'self'; magnetometer 'self'; microphone 'self'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'"
	Referrer-Policy "strict-origin"


	<configuration>
	<system.webServer>
	<httpProtocol>
	<customHeaders>
	<!-- Remove the X-Powered-By header -->
	<remove name="X-Powered-By" />
	<!-- Add the HTTP Strict Transport Security (HSTS) header to enforce HTTPS 31536000-->
	<add name="Strict-Transport-Security" value="max-age=31536000"/>
	<!-- X-Frame-Options prevents framing in another site (Clickjacking / UI Redressing attacks) -->
	<!-- SAMEORIGIN required to retrieve token from Graph API -->
	<add name="X-Frame-Options" value="DENY" />
	<!-- X-XSS-Protection protection header blocks all requests that contain XSS attacks -->
	<add name="X-XSS-Protection" value="1; mode=block" />
	<!-- X-Content-Type-Options header prevents MIME sniffing-->
	<add name="X-Content-Type-Options" value="nosniff" />
	<!-- Content Security Policy (CPS) header sets a whitelist of sources for loading scripts, styles etc -->
	<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'; img-src 'self'; font-src 'self'; style-src 'self'; connect-src https:;"/>
	<!-- Feature Policy, for limiting access to Mobile Device Actions, like Vibrate or Notification -->
	<add name="accelerometer 'self'; ambient-light-sensor 'self'; autoplay 'self'; camera 'self'; encrypted-media 'self'; geolocation 'self'; gyroscope 'self'; magnetometer 'self'; microphone 'self'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none';"/>
	<!-- Referrer Policy, for controlling how and when the browser sends the 'Referrer: URL' request header -->
	<add name="Referrer-Policy" value="strict-origin" />
	</customHeaders>
	</httpProtocol>
	<security>
	<!--- Remove the Server: IIS 10 Header -->
	<requestFiltering removeServerHeader="true"/>
	</security>
	</system.webServer>
	</configuration>