akunzai/web.config

## web.config
<!-- The following configuration should also work with Azure App Service -->
<configuration>
  <system.web>
    <!-- Disable X-AspNet-Version Header -->
    <httpRuntime enableVersionHeader="false" />
    <!-- File upload size limit (KB), avoid DoS attack -->
    <httpRuntime maxRequestLength="4096" />
    <!-- Disable debug & trace in Production -->
    <compilation debug="false" />
    <trace enabled="false" />
    <!-- Enhance Cookies security -->
    <httpCookies httpOnlyCookies="true" requireSSL="true" />
    <!-- Avoid information leaking on errors -->
    <customErrors mode="RemoteOnly" defaultRedirect="error.html">
      <error statusCode="404" redirect="404.html" />
      <error statusCode="500" redirect="error.html" />
    </customErrors>
    <!-- Ensure Form Login via HTTPS -->
    <authentication>
      <forms requireSSL="true" />
    </authentication>
  </system.web>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add
          name="Content-Security-Policy"
          value="default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'"
        />
        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="X-Frame-Options" value="DENY" />
        <add name="X-Permitted-Cross-Domain-Policies" value="none" />
        <add name="X-XSS-Protection" value="1; mode=block" />
        <remove name="X-Powered-By" />
        <remove name="X-AspNet-Version" />
        <remove name="X-AspNetMvc-Version" />
      </customHeaders>
    </httpProtocol>
    <rewrite>
      <rules>
        <clear />
        <rule name="Allow LetsEncrypt" stopProcessing="true">
          <match url="^\.well-known/acme-challenge/.*$" />
          <action type="None" />
        </rule>
        <rule name="Redirect to https" stopProcessing="true">
          <match url=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="off" />
            <add input="{REQUEST_METHOD}" pattern="^get$|^head$" />
          </conditions>
          <action
            type="Redirect"
            url="https://{HTTP_HOST}/{R:0}"
            redirectType="Permanent"
          />
        </rule>
        <rule
          name="Block password parameter in GET Requests"
          stopProcessing="true"
        >
          <match url=".*" />
          <conditions>
            <add input="{QUERY_STRING}" pattern="password=.*" />
          </conditions>
          <action type="CustomResponse" statusCode="400" />
        </rule>
        <rule name="Block directory traversal attempts" stopProcessing="true">
          <match url=".*" />
          <conditions logicalGrouping="MatchAny">
            <add input="{UNENCODED_URL}" pattern="\.\." />
            <add input="{UNENCODED_URL}" pattern="\./" />
          </conditions>
          <action type="CustomResponse" statusCode="404" />
        </rule>
        <rule name="Block special characters in URL" stopProcessing="true">
          <match url=".*" />
          <conditions logicalGrouping="MatchAny">
            <add input="{HTTP_X_ORIGINAL_URL}" pattern="[\x00-\x1f\x7f]+" />
          </conditions>
          <action type="CustomResponse" statusCode="400" />
        </rule>
        <!-- https://msrc.microsoft.com/update-guide/vulnerability/ADV200008 -->
        <!-- https://docs.microsoft.com/en-us/answers/questions/943083/request-smuggling-filter-for-web-apps-in-app-servi.html -->
        <rule name="Block HTTP request smuggling" stopProcessing="true">
          <match url=".*" />
          <conditions>
            <add input="{HTTP_Transfer_Encoding}" pattern="chunked" />
            <add input="{HTTP_Content_Length}" pattern=".+" />
          </conditions>
          <action type="CustomResponse" statusCode="400" />
        </rule>
      </rules>
      <outboundRules>
        <rule name="Add HSTS Header" enabled="true">
          <match
            serverVariable="RESPONSE_Strict_Transport_Security"
            pattern=".*"
          />
          <conditions>
            <add input="{HTTPS}" pattern="on" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000" />
        </rule>
        <rule name="Rewrite Server header" enabled="false">
          <match serverVariable="RESPONSE_Server" pattern=".+" />
          <action type="Rewrite" value="Apache" />
        </rule>
      </outboundRules>
    </rewrite>
    <security>
      <ipSecurity allowUnlisted="true" enableProxyMode="true">
        <add allowed="false" ipAddress="1.1.1.1" />
        <add allowed="false" ipAddress="2.2.2.2" subnetMask="255.255.255.0" />
      </ipSecurity>
      <dynamicIpSecurity enableLoggingOnlyMode="true">
        <denyByRequestRate
          enabled="true"
          maxRequests="100"
          requestIntervalInMilliseconds="3000"
        />
      </dynamicIpSecurity>
      <requestFiltering removeServerHeader="true">
        <filteringRules>
            <filteringRule name="Block Bad User Agent" scanUrl="false" scanQueryString="false">
                <scanHeaders>
                    <add requestHeader="User-Agent" />
                </scanHeaders>
                <denyStrings>
                    <add string="Hello" />
                    <add string="python-requests" />
                    <add string="Test Certificate Info" />
                    <add string="zgrab" />
                </denyStrings>
            </filteringRule>
        </filteringRules>
        <fileExtensions allowUnlisted="true" applyToWebDAV="false">
          <add fileExtension=".db" allowed="false" />
          <add fileExtension=".xml" allowed="false" />
        </fileExtensions>
        <hiddenSegments>
          <add segment=".git" />
          <add segment=".svn" />
        </hiddenSegments>
        <verbs>
          <add verb="TRACE" allowed="false" />
        </verbs>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>
	<!-- The following configuration should also work with Azure App Service -->
	<configuration>
	<system.web>
	<!-- Disable X-AspNet-Version Header -->
	<httpRuntime enableVersionHeader="false" />
	<!-- File upload size limit (KB), avoid DoS attack -->
	<httpRuntime maxRequestLength="4096" />
	<!-- Disable debug & trace in Production -->
	<compilation debug="false" />
	<trace enabled="false" />
	<!-- Enhance Cookies security -->
	<httpCookies httpOnlyCookies="true" requireSSL="true" />
	<!-- Avoid information leaking on errors -->
	<customErrors mode="RemoteOnly" defaultRedirect="error.html">
	<error statusCode="404" redirect="404.html" />
	<error statusCode="500" redirect="error.html" />
	</customErrors>
	<!-- Ensure Form Login via HTTPS -->
	<authentication>
	<forms requireSSL="true" />
	</authentication>
	</system.web>
	<system.webServer>
	<httpProtocol>
	<customHeaders>
	<add
	name="Content-Security-Policy"
	value="default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'"
	/>
	<add name="X-Content-Type-Options" value="nosniff" />
	<add name="X-Frame-Options" value="DENY" />
	<add name="X-Permitted-Cross-Domain-Policies" value="none" />
	<add name="X-XSS-Protection" value="1; mode=block" />
	<remove name="X-Powered-By" />
	<remove name="X-AspNet-Version" />
	<remove name="X-AspNetMvc-Version" />
	</customHeaders>
	</httpProtocol>
	<rewrite>
	<rules>
	<clear />
	<rule name="Allow LetsEncrypt" stopProcessing="true">
	<match url="^\.well-known/acme-challenge/.*$" />
	<action type="None" />
	</rule>
	<rule name="Redirect to https" stopProcessing="true">
	<match url=".*" />
	<conditions>
	<add input="{HTTPS}" pattern="off" />
	<add input="{REQUEST_METHOD}" pattern="^get$\|^head$" />
	</conditions>
	<action
	type="Redirect"
	url="https://{HTTP_HOST}/{R:0}"
	redirectType="Permanent"
	/>
	</rule>
	<rule
	name="Block password parameter in GET Requests"
	stopProcessing="true"
	>
	<match url=".*" />
	<conditions>
	<add input="{QUERY_STRING}" pattern="password=.*" />
	</conditions>
	<action type="CustomResponse" statusCode="400" />
	</rule>
	<rule name="Block directory traversal attempts" stopProcessing="true">
	<match url=".*" />
	<conditions logicalGrouping="MatchAny">
	<add input="{UNENCODED_URL}" pattern="\.\." />
	<add input="{UNENCODED_URL}" pattern="\./" />
	</conditions>
	<action type="CustomResponse" statusCode="404" />
	</rule>
	<rule name="Block special characters in URL" stopProcessing="true">
	<match url=".*" />
	<conditions logicalGrouping="MatchAny">
	<add input="{HTTP_X_ORIGINAL_URL}" pattern="[\x00-\x1f\x7f]+" />
	</conditions>
	<action type="CustomResponse" statusCode="400" />
	</rule>
	<!-- https://msrc.microsoft.com/update-guide/vulnerability/ADV200008 -->
	<!-- https://docs.microsoft.com/en-us/answers/questions/943083/request-smuggling-filter-for-web-apps-in-app-servi.html -->
	<rule name="Block HTTP request smuggling" stopProcessing="true">
	<match url=".*" />
	<conditions>
	<add input="{HTTP_Transfer_Encoding}" pattern="chunked" />
	<add input="{HTTP_Content_Length}" pattern=".+" />
	</conditions>
	<action type="CustomResponse" statusCode="400" />
	</rule>
	</rules>
	<outboundRules>
	<rule name="Add HSTS Header" enabled="true">
	<match
	serverVariable="RESPONSE_Strict_Transport_Security"
	pattern=".*"
	/>
	<conditions>
	<add input="{HTTPS}" pattern="on" />
	</conditions>
	<action type="Rewrite" value="max-age=31536000" />
	</rule>
	<rule name="Rewrite Server header" enabled="false">
	<match serverVariable="RESPONSE_Server" pattern=".+" />
	<action type="Rewrite" value="Apache" />
	</rule>
	</outboundRules>
	</rewrite>
	<security>
	<ipSecurity allowUnlisted="true" enableProxyMode="true">
	<add allowed="false" ipAddress="1.1.1.1" />
	<add allowed="false" ipAddress="2.2.2.2" subnetMask="255.255.255.0" />
	</ipSecurity>
	<dynamicIpSecurity enableLoggingOnlyMode="true">
	<denyByRequestRate
	enabled="true"
	maxRequests="100"
	requestIntervalInMilliseconds="3000"
	/>
	</dynamicIpSecurity>
	<requestFiltering removeServerHeader="true">
	<filteringRules>
	<filteringRule name="Block Bad User Agent" scanUrl="false" scanQueryString="false">
	<scanHeaders>
	<add requestHeader="User-Agent" />
	</scanHeaders>
	<denyStrings>
	<add string="Hello" />
	<add string="python-requests" />
	<add string="Test Certificate Info" />
	<add string="zgrab" />
	</denyStrings>
	</filteringRule>
	</filteringRules>
	<fileExtensions allowUnlisted="true" applyToWebDAV="false">
	<add fileExtension=".db" allowed="false" />
	<add fileExtension=".xml" allowed="false" />
	</fileExtensions>
	<hiddenSegments>
	<add segment=".git" />
	<add segment=".svn" />
	</hiddenSegments>
	<verbs>
	<add verb="TRACE" allowed="false" />
	</verbs>
	</requestFiltering>
	</security>
	</system.webServer>
	</configuration>