Created
March 29, 2020 13:08
-
-
Save davidsantiago-bib/9ada9306245f9226775d93bb321f7f27 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<configuration> | |
<system.web> | |
<httpRuntime enableVersionHeader="false" /> | |
<!-- Removes ASP.NET version header. --> | |
</system.web> | |
<system.webServer> | |
<security> | |
<requestFiltering removeServerHeader="true" /> | |
<!-- Removes Server header in IIS10 or later and also in Azure Web Apps --> | |
</security> | |
<httpProtocol> | |
<customHeaders> | |
<clear /> | |
<!-- Gets rid of the other unwanted headers --> | |
<add name="X-Frame-Options" value="SAMEORIGIN"/> | |
<!-- disables iframing the website from other than the origin --> | |
<add name="X-Xss-Protection" value="1; mode=block"/> | |
<!-- configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). --> | |
<add name="X-Content-Type-Options" value="nosniff"/> | |
<!-- prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server --> | |
<add name="Content-Security-Policy" value="block-all-mixed-content; base-uri 'self'"/> | |
<!-- https://content-security-policy.com/ - defines from where you can load scripts, styles images and so on. You use 'unsafe-inline' if you need to, although it's considered risk --> | |
<add name="Referrer-Policy" value="no-referrer-when-downgrade"/> | |
<!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy - Sets the referrer policy. Use for CORS --> | |
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload"/> | |
<!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security - HSTS allows you to tell a browser that you always want a user to connect using HTTPS instead of HTTP. his policy will enforce TLS on your site and all subdomains for a year. --> | |
<add name="Feature-Policy" value="microphone 'none'; geolocation 'none'"/> | |
<!-- used to disable certain features https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy --> | |
<add name="X-Permitted-Cross-Domain-Policies" value="none"/> | |
<!-- The X-Permitted-Cross-Domain-Policies header tells clients like Flash and Acrobat what cross-domain policies they can use. If you don’t want them to load data from your domain, set the header’s value to none --> | |
<add name="Expect-CT" value="max-age=86400, enforce"/> | |
<!-- The Expect-CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. --> | |
<remove name="X-Powered-By" /> | |
<!-- removes the X-Powered-By:ASP.NET header --> | |
</customHeaders> | |
<redirectHeaders> | |
<clear /> | |
</redirectHeaders> | |
</httpProtocol> | |
</system.webServer> | |
</configuration> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment