themorgantown/web.config

## web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <configSections>
    </configSections>
    <connectionStrings />

    <system.web>
        <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
        <compilation debug="true" targetFramework="4.0" />

        <!-- Security through obscurity, removes  X-AspNet-Version HTTP header from the response -->
        <httpRuntime enableVersionHeader="false" />

        <authentication mode="Windows" />

        <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

            <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
                <error statusCode="403" redirect="NoAccess.htm" />
                <error statusCode="404" redirect="FileNotFound.htm" />
            </customErrors>
        -->
        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="404" redirect="404.html" />
        </customErrors>

        <sessionState mode="InProc" customProvider="DefaultSessionProvider">
            <providers>
                <add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
            </providers>
        </sessionState>
    </system.web>

    <system.webServer>
        <!-- GZip static file content.  Overrides the server default which only compresses static files over 2700 bytes -->
        <httpCompression directory="%SystemDrive%\websites\_compressed" minFileSizeForComp="1024">
            <scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
            <staticTypes>
                <add mimeType="text/*" enabled="true" />
                <add mimeType="message/*" enabled="true" />
                <add mimeType="application/javascript" enabled="true" />
                <add mimeType="application/json" enabled="true" />
                <add mimeType="*/*" enabled="false" />
            </staticTypes>
        </httpCompression>
        <directoryBrowse enabled="false" />
        <validation validateIntegratedModeConfiguration="false" />
        <modules runAllManagedModulesForAllRequests="true" />
        <urlCompression doStaticCompression="true" />
        <staticContent>
            <!-- Set expire headers to 30 days for static content-->
            <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" />
            <!-- use utf-8 encoding for anything served text/plain or text/html -->
            <remove fileExtension=".css" />
            <mimeMap fileExtension=".css" mimeType="text/css" />
            <remove fileExtension=".js" />
            <mimeMap fileExtension=".js" mimeType="application/javascript" />
            <remove fileExtension=".json" />
            <mimeMap fileExtension=".json" mimeType="application/json" />
            <remove fileExtension=".rss" />
            <mimeMap fileExtension=".rss" mimeType="application/rss+xml; charset=UTF-8" />
            <remove fileExtension=".html" />
            <mimeMap fileExtension=".html" mimeType="text/html; charset=UTF-8" />
            <remove fileExtension=".xml" />
            <mimeMap fileExtension=".xml" mimeType="application/xml; charset=UTF-8" />
            <!-- HTML5 Audio/Video mime types-->
            <remove fileExtension=".mp3" />
            <mimeMap fileExtension=".mp3" mimeType="audio/mpeg" />
            <remove fileExtension=".mp4" />
            <mimeMap fileExtension=".mp4" mimeType="video/mp4" />
            <remove fileExtension=".ogg" />
            <mimeMap fileExtension=".ogg" mimeType="audio/ogg" />
            <remove fileExtension=".ogv" />
            <mimeMap fileExtension=".ogv" mimeType="video/ogg" />
            <remove fileExtension=".webm" />
            <mimeMap fileExtension=".webm" mimeType="video/webm" />
            <!-- Proper svg serving. Required for svg webfonts on iPad -->
            <remove fileExtension=".svg" />
            <mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
            <remove fileExtension=".svgz" />
            <mimeMap fileExtension=".svgz" mimeType="image/svg+xml" />
            <!-- HTML4 Web font mime types -->
            <!-- Remove default IIS mime type for .eot which is application/octet-stream -->
            <remove fileExtension=".eot" />
            <mimeMap fileExtension=".eot" mimeType="application/vnd.ms-fontobject" />
            <remove fileExtension=".ttf" />
            <mimeMap fileExtension=".ttf" mimeType="application/x-font-ttf" />
            <remove fileExtension=".ttc" />
            <mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
            <remove fileExtension=".otf" />
            <mimeMap fileExtension=".otf" mimeType="font/otf" />
            <remove fileExtension=".woff" />
            <mimeMap fileExtension=".woff" mimeType="application/x-font-woff" />
            <remove fileExtension=".crx" />
            <mimeMap fileExtension=".crx" mimeType="application/x-chrome-extension" />
            <remove fileExtension=".xpi" />
            <mimeMap fileExtension=".xpi" mimeType="application/x-xpinstall" />
            <remove fileExtension=".safariextz" />
            <mimeMap fileExtension=".safariextz" mimeType="application/octet-stream" />
            <!-- Flash Video mime types-->
            <remove fileExtension=".flv" />
            <mimeMap fileExtension=".flv" mimeType="video/x-flv" />
            <remove fileExtension=".f4v" />
            <mimeMap fileExtension=".f4v" mimeType="video/mp4" />
            <!-- Asorted types -->
            <remove fileExtension=".ico" />
            <mimeMap fileExtension=".ico" mimeType="image/x-icon" />
            <remove fileExtension=".webp" />
            <mimeMap fileExtension=".webp" mimeType="image/webp" />
            <remove fileExtension=".appcache" />
            <mimeMap fileExtension=".appcache" mimeType="text/cache-manifest" />
            <remove fileExtension=".manifest" />
            <mimeMap fileExtension=".manifest" mimeType="text/cache-manifest" />
            <remove fileExtension=".htc" />
            <mimeMap fileExtension=".htc" mimeType="text/x-component" />
            <remove fileExtension=".crx" />
            <mimeMap fileExtension=".crx" mimeType="application/x-chrome-extension" />
            <remove fileExtension=".xpi" />
            <mimeMap fileExtension=".xpi" mimeType="application/x-xpinstall" />
            <remove fileExtension=".safariextz" />
            <mimeMap fileExtension=".safariextz" mimeType="application/octet-stream" />
            <remove fileExtension=".vcf" />
            <mimeMap fileExtension=".vcf" mimeType="text/x-vcard" />
        </staticContent>
        <httpProtocol>
            <customHeaders>

                <!--#### SECURITY Related Headers ###-->
                <!--
                # Access-Control-Allow-Origin
                The 'Access Control Allow Origin' HTTP header is used to control which
                sites are allowed to bypass same origin policies and send cross-origin requests.

                Secure configuration: Either do not set this header, or return the 'Access-Control-Allow-Origin'
                header restricting it to only a trusted set of sites.
                http://enable-cors.org/

                <add name="Access-Control-Allow-Origin" value="*" />
                -->

                <!--
                # Cache-Control
                The 'Cache-Control' response header controls how pages can be cached
                either by proxies or the users browser.
                This response header can provide enhanced privacy by not caching
                sensitive pages in the users browser cache.

                <add name="Cache-Control" value="no-store, no-cache"/>
                -->

                <!--
                # Strict-Transport-Security
                The HTTP Strict Transport Security header is used to control
                if the browser is allowed to only access a site over a secure connection
                and how long to remember the server response for, forcing continued usage.
                Note* Currently a draft standard which only Firefox and Chrome support. But is supported by sites like PayPal.
                <add name="Strict-Transport-Security" value="max-age=15768000"/>
                -->

                <!--
                # X-Frame-Options
                The X-Frame-Options header indicates whether a browser should be allowed
                to render a page within a frame or iframe.
                The valid options are DENY (deny allowing the page to exist in a frame)
                or SAMEORIGIN (allow framing but only from the originating host)
                Without this option set the site is at a higher risk of click-jacking.

                <add name="X-Frame-Options" value="SAMEORIGIN" />
                -->

                <!--
                # X-XSS-Protection
                The X-XSS-Protection header is used by Internet Explorer version 8+
                The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
                If enabled, without 'mode=block', there is an increased risk that
                otherwise non-exploitable cross-site scripting vulnerabilities may potentially become exploitable

                <add name="X-XSS-Protection" value="1; mode=block"/>
                -->

                <!-- A little extra security (by obscurity) -->
                <remove name="X-Powered-By" />

                <!--//#### SECURITY Related Headers ###-->

                <!--
                # E-TAGS
                E-Tags are actually quite useful in cache management especially if you have a front-end caching server
                such as Varnish. http://en.wikipedia.org/wiki/HTTP_ETag / http://developer.yahoo.com/performance/rules.html#etags
                But in load balancing and simply most cases ETags are mishandled in IIS; and it can be advantageous to remove them.
                This is simply done by overriding the default server header with an empty tag.
                See http://bytestopshere.wordpress.com/2009/02/02/disable-remove-etags-on-iis-6-to-improve-performance/

                <add name="E-TAG" value="" />
                -->

                <!--
                Force the latest IE version, in various cases when it may fall back to IE7 mode
                github.com/rails/rails/commit/123eb25#commitcomment-118920
                Use ChromeFrame if it's installed for a better experience for the poor IE folk
                -->
                <add name="X-UA-Compatible" value="IE=Edge,chrome=1" />
                <!--
                Allow cookies to be set from iframes (for IE only)
                If needed, uncomment and specify a path or regex in the Location directive

                <add name="P3P" value="policyref=&quot;/w3c/p3p.xml&quot;, CP=&quot;IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT&quot;" />
                -->
            </customHeaders>
        </httpProtocol>

        <!--
        <rewrite>
            <rules>

            Remove/force the WWW from the URL.
            Requires IIS Rewrite module http://learn.iis.net/page.aspx/460/using-the-url-rewrite-module/
            Configuration lifted from http://nayyeri.net/remove-www-prefix-from-urls-with-url-rewrite-module-for-iis-7-0

            NOTE* You need to install the IIS URL Rewriting extension (Install via the Web Platform Installer)
            http://www.microsoft.com/web/downloads/platform.aspx

            ** Important Note
            using a non-www version of a webpage will set cookies for the whole domain making cookieless domains
            (eg. fast cdn-like access of static resources like css, js and images) impossible.

            # IMPORTANT: THERE ARE TWO RULES LISTED. NEVER USE BOTH RULES AT THE SAME TIME!

                <rule name="Remove WWW" stopProcessing="true">
                    <match url="^(.*)$" />
                    <conditions>
                        <add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" />
                    </conditions>
                    <action type="Redirect" url="http://example.com{PATH_INFO}" redirectType="Permanent" />
                </rule>
                <rule name="Force WWW" stopProcessing="true">
                    <match url=".*" />
                    <conditions>
                        <add input="{HTTP_HOST}" pattern="^example.com$" />
                    </conditions>
                    <action type="Redirect" url="http://www.example.com/{R:0}" redirectType="Permanent" />
                </rule>
            -->
            <!--
            ### Built-in filename-based cache busting

            If you're not using the build script to manage your filename version revving,
            you might want to consider enabling this, which will route requests for
            /css/style.20110203.css to /css/style.css

            To understand why this is important and a better idea than all.css?v1231,
            read: github.com/h5bp/html5-boilerplate/wiki/Version-Control-with-Cachebusting

                <rule name="Cachebusting">
                    <match url="^(.+)\.\d+(\.(js|css|png|jpg|gif)$)" />
                    <action type="Rewrite" url="{R:1}{R:2}" />
                </rule>

            </rules>
        </rewrite>-->

    </system.webServer>
</configuration>
	<?xml version="1.0" encoding="UTF-8"?>
	<configuration>
	<configSections>
	</configSections>
	<connectionStrings />

	<system.web>
	<!--
	Set compilation debug="true" to insert debugging
	symbols into the compiled page. Because this
	affects performance, set this value to true only
	during development.
	-->
	<compilation debug="true" targetFramework="4.0" />

	<!-- Security through obscurity, removes X-AspNet-Version HTTP header from the response -->
	<httpRuntime enableVersionHeader="false" />

	<authentication mode="Windows" />

	<!--
	The <customErrors> section enables configuration
	of what to do if/when an unhandled error occurs
	during the execution of a request. Specifically,
	it enables developers to configure html error pages
	to be displayed in place of a error stack trace.

	<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
	<error statusCode="403" redirect="NoAccess.htm" />
	<error statusCode="404" redirect="FileNotFound.htm" />
	</customErrors>
	-->
	<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
	<error statusCode="404" redirect="404.html" />
	</customErrors>

	<sessionState mode="InProc" customProvider="DefaultSessionProvider">
	<providers>
	<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
	</providers>
	</sessionState>
	</system.web>

	<system.webServer>
	<!-- GZip static file content. Overrides the server default which only compresses static files over 2700 bytes -->
	<httpCompression directory="%SystemDrive%\websites\_compressed" minFileSizeForComp="1024">
	<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
	<staticTypes>
	<add mimeType="text/*" enabled="true" />
	<add mimeType="message/*" enabled="true" />
	<add mimeType="application/javascript" enabled="true" />
	<add mimeType="application/json" enabled="true" />
	<add mimeType="/" enabled="false" />
	</staticTypes>
	</httpCompression>
	<directoryBrowse enabled="false" />
	<validation validateIntegratedModeConfiguration="false" />
	<modules runAllManagedModulesForAllRequests="true" />
	<urlCompression doStaticCompression="true" />
	<staticContent>
	<!-- Set expire headers to 30 days for static content-->
	<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" />
	<!-- use utf-8 encoding for anything served text/plain or text/html -->
	<remove fileExtension=".css" />
	<mimeMap fileExtension=".css" mimeType="text/css" />
	<remove fileExtension=".js" />
	<mimeMap fileExtension=".js" mimeType="application/javascript" />
	<remove fileExtension=".json" />
	<mimeMap fileExtension=".json" mimeType="application/json" />
	<remove fileExtension=".rss" />
	<mimeMap fileExtension=".rss" mimeType="application/rss+xml; charset=UTF-8" />
	<remove fileExtension=".html" />
	<mimeMap fileExtension=".html" mimeType="text/html; charset=UTF-8" />
	<remove fileExtension=".xml" />
	<mimeMap fileExtension=".xml" mimeType="application/xml; charset=UTF-8" />
	<!-- HTML5 Audio/Video mime types-->
	<remove fileExtension=".mp3" />
	<mimeMap fileExtension=".mp3" mimeType="audio/mpeg" />
	<remove fileExtension=".mp4" />
	<mimeMap fileExtension=".mp4" mimeType="video/mp4" />
	<remove fileExtension=".ogg" />
	<mimeMap fileExtension=".ogg" mimeType="audio/ogg" />
	<remove fileExtension=".ogv" />
	<mimeMap fileExtension=".ogv" mimeType="video/ogg" />
	<remove fileExtension=".webm" />
	<mimeMap fileExtension=".webm" mimeType="video/webm" />
	<!-- Proper svg serving. Required for svg webfonts on iPad -->
	<remove fileExtension=".svg" />
	<mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
	<remove fileExtension=".svgz" />
	<mimeMap fileExtension=".svgz" mimeType="image/svg+xml" />
	<!-- HTML4 Web font mime types -->
	<!-- Remove default IIS mime type for .eot which is application/octet-stream -->
	<remove fileExtension=".eot" />
	<mimeMap fileExtension=".eot" mimeType="application/vnd.ms-fontobject" />
	<remove fileExtension=".ttf" />
	<mimeMap fileExtension=".ttf" mimeType="application/x-font-ttf" />
	<remove fileExtension=".ttc" />
	<mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
	<remove fileExtension=".otf" />
	<mimeMap fileExtension=".otf" mimeType="font/otf" />
	<remove fileExtension=".woff" />
	<mimeMap fileExtension=".woff" mimeType="application/x-font-woff" />
	<remove fileExtension=".crx" />
	<mimeMap fileExtension=".crx" mimeType="application/x-chrome-extension" />
	<remove fileExtension=".xpi" />
	<mimeMap fileExtension=".xpi" mimeType="application/x-xpinstall" />
	<remove fileExtension=".safariextz" />
	<mimeMap fileExtension=".safariextz" mimeType="application/octet-stream" />
	<!-- Flash Video mime types-->
	<remove fileExtension=".flv" />
	<mimeMap fileExtension=".flv" mimeType="video/x-flv" />
	<remove fileExtension=".f4v" />
	<mimeMap fileExtension=".f4v" mimeType="video/mp4" />
	<!-- Asorted types -->
	<remove fileExtension=".ico" />
	<mimeMap fileExtension=".ico" mimeType="image/x-icon" />
	<remove fileExtension=".webp" />
	<mimeMap fileExtension=".webp" mimeType="image/webp" />
	<remove fileExtension=".appcache" />
	<mimeMap fileExtension=".appcache" mimeType="text/cache-manifest" />
	<remove fileExtension=".manifest" />
	<mimeMap fileExtension=".manifest" mimeType="text/cache-manifest" />
	<remove fileExtension=".htc" />
	<mimeMap fileExtension=".htc" mimeType="text/x-component" />
	<remove fileExtension=".crx" />
	<mimeMap fileExtension=".crx" mimeType="application/x-chrome-extension" />
	<remove fileExtension=".xpi" />
	<mimeMap fileExtension=".xpi" mimeType="application/x-xpinstall" />
	<remove fileExtension=".safariextz" />
	<mimeMap fileExtension=".safariextz" mimeType="application/octet-stream" />
	<remove fileExtension=".vcf" />
	<mimeMap fileExtension=".vcf" mimeType="text/x-vcard" />
	</staticContent>
	<httpProtocol>
	<customHeaders>

	<!--#### SECURITY Related Headers ###-->
	<!--
	# Access-Control-Allow-Origin
	The 'Access Control Allow Origin' HTTP header is used to control which
	sites are allowed to bypass same origin policies and send cross-origin requests.

	Secure configuration: Either do not set this header, or return the 'Access-Control-Allow-Origin'
	header restricting it to only a trusted set of sites.
	http://enable-cors.org/

	<add name="Access-Control-Allow-Origin" value="*" />
	-->

	<!--
	# Cache-Control
	The 'Cache-Control' response header controls how pages can be cached
	either by proxies or the users browser.
	This response header can provide enhanced privacy by not caching
	sensitive pages in the users browser cache.

	<add name="Cache-Control" value="no-store, no-cache"/>
	-->

	<!--
	# Strict-Transport-Security
	The HTTP Strict Transport Security header is used to control
	if the browser is allowed to only access a site over a secure connection
	and how long to remember the server response for, forcing continued usage.
	Note* Currently a draft standard which only Firefox and Chrome support. But is supported by sites like PayPal.
	<add name="Strict-Transport-Security" value="max-age=15768000"/>
	-->

	<!--
	# X-Frame-Options
	The X-Frame-Options header indicates whether a browser should be allowed
	to render a page within a frame or iframe.
	The valid options are DENY (deny allowing the page to exist in a frame)
	or SAMEORIGIN (allow framing but only from the originating host)
	Without this option set the site is at a higher risk of click-jacking.

	<add name="X-Frame-Options" value="SAMEORIGIN" />
	-->

	<!--
	# X-XSS-Protection
	The X-XSS-Protection header is used by Internet Explorer version 8+
	The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
	If enabled, without 'mode=block', there is an increased risk that
	otherwise non-exploitable cross-site scripting vulnerabilities may potentially become exploitable

	<add name="X-XSS-Protection" value="1; mode=block"/>
	-->

	<!-- A little extra security (by obscurity) -->
	<remove name="X-Powered-By" />

	<!--//#### SECURITY Related Headers ###-->

	<!--
	# E-TAGS
	E-Tags are actually quite useful in cache management especially if you have a front-end caching server
	such as Varnish. http://en.wikipedia.org/wiki/HTTP_ETag / http://developer.yahoo.com/performance/rules.html#etags
	But in load balancing and simply most cases ETags are mishandled in IIS; and it can be advantageous to remove them.
	This is simply done by overriding the default server header with an empty tag.
	See http://bytestopshere.wordpress.com/2009/02/02/disable-remove-etags-on-iis-6-to-improve-performance/

	<add name="E-TAG" value="" />
	-->

	<!--
	Force the latest IE version, in various cases when it may fall back to IE7 mode
	github.com/rails/rails/commit/123eb25#commitcomment-118920
	Use ChromeFrame if it's installed for a better experience for the poor IE folk
	-->
	<add name="X-UA-Compatible" value="IE=Edge,chrome=1" />
	<!--
	Allow cookies to be set from iframes (for IE only)
	If needed, uncomment and specify a path or regex in the Location directive

	<add name="P3P" value="policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"" />
	-->
	</customHeaders>
	</httpProtocol>

	<!--
	<rewrite>
	<rules>

	Remove/force the WWW from the URL.
	Requires IIS Rewrite module http://learn.iis.net/page.aspx/460/using-the-url-rewrite-module/
	Configuration lifted from http://nayyeri.net/remove-www-prefix-from-urls-with-url-rewrite-module-for-iis-7-0

	NOTE* You need to install the IIS URL Rewriting extension (Install via the Web Platform Installer)
	http://www.microsoft.com/web/downloads/platform.aspx

	** Important Note
	using a non-www version of a webpage will set cookies for the whole domain making cookieless domains
	(eg. fast cdn-like access of static resources like css, js and images) impossible.

	# IMPORTANT: THERE ARE TWO RULES LISTED. NEVER USE BOTH RULES AT THE SAME TIME!

	<rule name="Remove WWW" stopProcessing="true">
	<match url="^(.*)$" />
	<conditions>
	<add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" />
	</conditions>
	<action type="Redirect" url="http://example.com{PATH_INFO}" redirectType="Permanent" />
	</rule>
	<rule name="Force WWW" stopProcessing="true">
	<match url=".*" />
	<conditions>
	<add input="{HTTP_HOST}" pattern="^example.com$" />
	</conditions>
	<action type="Redirect" url="http://www.example.com/{R:0}" redirectType="Permanent" />
	</rule>
	-->
	<!--
	### Built-in filename-based cache busting

	If you're not using the build script to manage your filename version revving,
	you might want to consider enabling this, which will route requests for
	/css/style.20110203.css to /css/style.css

	To understand why this is important and a better idea than all.css?v1231,
	read: github.com/h5bp/html5-boilerplate/wiki/Version-Control-with-Cachebusting

	<rule name="Cachebusting">
	<match url="^(.+)\.\d+(\.(js\|css\|png\|jpg\|gif)$)" />
	<action type="Rewrite" url="{R:1}{R:2}" />
	</rule>

	</rules>
	</rewrite>-->

	</system.webServer>
	</configuration>