davidsantiago-bib/gist:9ada9306245f9226775d93bb321f7f27

## gistfile1.txt
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.web>
      <httpRuntime enableVersionHeader="false" />
      <!-- Removes ASP.NET version header. -->
   </system.web>
   <system.webServer>
      <security>
         <requestFiltering removeServerHeader="true" />
         <!-- Removes Server header in IIS10 or later and also in Azure Web Apps -->
      </security>
      <httpProtocol>
         <customHeaders>
            <clear />
            <!-- Gets rid of the other unwanted headers -->
            <add name="X-Frame-Options" value="SAMEORIGIN"/>
            <!-- disables iframing the website from other than the origin -->
            <add name="X-Xss-Protection" value="1; mode=block"/>
            <!-- configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). -->
            <add name="X-Content-Type-Options" value="nosniff"/>
            <!-- prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server -->
            <add name="Content-Security-Policy" value="block-all-mixed-content; base-uri 'self'"/>
            <!-- https://content-security-policy.com/ - defines from where you can load scripts, styles images and so on. You use 'unsafe-inline' if you need to, although it's considered risk -->
            <add name="Referrer-Policy" value="no-referrer-when-downgrade"/>
            <!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy - Sets the referrer policy. Use for CORS -->
            <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload"/>
            <!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security - HSTS allows you to tell a browser that you always want a user to connect using HTTPS instead of HTTP. his policy will enforce TLS on your site and all subdomains for a year. -->
            <add name="Feature-Policy" value="microphone 'none'; geolocation 'none'"/>
            <!-- used to disable certain features https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy -->
            <add name="X-Permitted-Cross-Domain-Policies" value="none"/>
            <!-- The X-Permitted-Cross-Domain-Policies header tells clients like Flash and Acrobat what cross-domain policies they can use. If you don’t want them to load data from your domain, set the header’s value to none -->
            <add name="Expect-CT" value="max-age=86400, enforce"/>
            <!-- The Expect-CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. -->
            <remove name="X-Powered-By" />
            <!-- removes the X-Powered-By:ASP.NET header -->
         </customHeaders>
         <redirectHeaders>
            <clear />
         </redirectHeaders>
      </httpProtocol>
   </system.webServer>
</configuration>
	<?xml version="1.0" encoding="UTF-8"?>
	<configuration>
	<system.web>
	<httpRuntime enableVersionHeader="false" />
	<!-- Removes ASP.NET version header. -->
	</system.web>
	<system.webServer>
	<security>
	<requestFiltering removeServerHeader="true" />
	<!-- Removes Server header in IIS10 or later and also in Azure Web Apps -->
	</security>
	<httpProtocol>
	<customHeaders>
	<clear />
	<!-- Gets rid of the other unwanted headers -->
	<add name="X-Frame-Options" value="SAMEORIGIN"/>
	<!-- disables iframing the website from other than the origin -->
	<add name="X-Xss-Protection" value="1; mode=block"/>
	<!-- configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). -->
	<add name="X-Content-Type-Options" value="nosniff"/>
	<!-- prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server -->
	<add name="Content-Security-Policy" value="block-all-mixed-content; base-uri 'self'"/>
	<!-- https://content-security-policy.com/ - defines from where you can load scripts, styles images and so on. You use 'unsafe-inline' if you need to, although it's considered risk -->
	<add name="Referrer-Policy" value="no-referrer-when-downgrade"/>
	<!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy - Sets the referrer policy. Use for CORS -->
	<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload"/>
	<!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security - HSTS allows you to tell a browser that you always want a user to connect using HTTPS instead of HTTP. his policy will enforce TLS on your site and all subdomains for a year. -->
	<add name="Feature-Policy" value="microphone 'none'; geolocation 'none'"/>
	<!-- used to disable certain features https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy -->
	<add name="X-Permitted-Cross-Domain-Policies" value="none"/>
	<!-- The X-Permitted-Cross-Domain-Policies header tells clients like Flash and Acrobat what cross-domain policies they can use. If you don’t want them to load data from your domain, set the header’s value to none -->
	<add name="Expect-CT" value="max-age=86400, enforce"/>
	<!-- The Expect-CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. -->
	<remove name="X-Powered-By" />
	<!-- removes the X-Powered-By:ASP.NET header -->
	</customHeaders>
	<redirectHeaders>
	<clear />
	</redirectHeaders>
	</httpProtocol>
	</system.webServer>
	</configuration>