Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Web.config (IIS7+) and IIS6 Alternative instructions - Total Overhaul #73

Merged
merged 9 commits into from almost 2 years ago

3 participants

Chris McKee Paul Irish Andy Dawson
Chris McKee
Collaborator

See Commits Underneath

ChrisMcKee added some commits
Chris McKee ChrisMcKee Added in more security headers/overrides (headers commented out by de…
…fault) along with longer explanations as to what they do and affect

Might seem a little wordy but .net devs are used to long winded
explanations in xml files, and with security its always better to be
clear.
b59c645
Chris McKee ChrisMcKee Incorrect description in main readme file
Majority of the elements in the web.config would have no affect on IIS6
as the configuration of IIS6 is not affected by the web.server tag
elements. The majority of changes required in IIS6 have to be achieved
manually through metadatabase edits.
3740186
Chris McKee ChrisMcKee Recreated web.config files from vs base templates for MVC4/API/Webfor…
…ms and .net3 Webforms

- Recreated each template from scratch copying the modifications over from the original template.
- Commented out the entire rewrite tag and added a note about installing URLRewrite.
- Tested each config within its own project, the MVC4 + WebAPI are identical (as the WebAPI project still contains a standard MVC4 project, and WebAPI sits higher in the stack)
60d2a47
Chris McKee ChrisMcKee Pulled in Pull request 71 79c83f5
Paul Irish
Owner

This is really nice. Anyone want to review?

Chris McKee
Collaborator
Chris McKee ChrisMcKee Fix for #53
ETag issue fix, added appropriate header removal tag and information
22945f3
Chris McKee
Collaborator

Had to drop the ---------------------------------------------------- formatting in the rewriting area as VS throws a fit if you use multiple - within a configuration file. Appears as a syntax error.
Replaced with # headers

Chris McKee ChrisMcKee Special IIS6 instructions as none of the web.config stuff is relevant…
… to them

Pretty sure I was asked for this in a previous commit, cant find it.
1007c16
Chris McKee
Collaborator

Added the changes to readme & an accompanying IIS6 configuration (work arounds to the lack of web.server support) to the IIS folder. Seems a more sensible place than the wiki which would easily be missed.

(1007c16) resolves #20 (comment)

Chris McKee
Collaborator

@paulirish tbh mate I think we'll both be old and gray by the time someone reviews it. If it helps I've had a guy I work with check them over and I have full VS solutions with each version in. But as it stands the version in the repository is useless, so nothing to lose :p

Andy Dawson AD7six referenced this pull request
Closed

.NET 4.0 web.config #63

Andy Dawson
Collaborator
AD7six commented

@ChrisMcKee I'm guessing from the lack of feedback from this and your other PR(s) that nobody (including me) feels confident to review the changes.

Since that kind of puts you in the position of being the SME - if you could update the PR so that it merges cleanly - I think we could merge it in and rely on the wider community to improve upon/maintain it.

Paul Irish
Owner
Chris McKee
Collaborator

@paulirish @AD7six thats just a general issue with the .net "community" all take, very little give ;)
I'd expect this PR to merge cleanly (I deleted the entire folder after all), but feel free to correct me if i'm wrong

Andy Dawson
Collaborator
AD7six commented

@ChrisMcKee "This pull request cannot be automatically merged." <-

Chris McKee
Collaborator

@AD7six Groan, generally what I'd expect when a PR takes over a month to move I'll update locally and re-push

Chris McKee
Collaborator

@AD7six well that was about as much fun as eating a shoe, the only change made to the web.config was in the comments. Most of which work on the delusional basis anyone using .net would ever be using a build script that would in reality create css files that wouldn't be visible in the solution. Managed language frameworks don't really behave well when treated like a scripting language. In reality people in .net should be using the bundler thats built in from 4+ or GetCassette.net which beats the built in method and most others to death :)
The merge/revert thing was due to me stupidly using tortoise (which tried to do something odd merging the configs), I inevitably did it manually and re-added the current state of this repo back in.

Andy Dawson AD7six merged commit d33e7fe into from
Andy Dawson AD7six closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 9 unique commits by 1 author.

Jun 13, 2012
Chris McKee ChrisMcKee Added in more security headers/overrides (headers commented out by de…
…fault) along with longer explanations as to what they do and affect

Might seem a little wordy but .net devs are used to long winded
explanations in xml files, and with security its always better to be
clear.
b59c645
Chris McKee ChrisMcKee Incorrect description in main readme file
Majority of the elements in the web.config would have no affect on IIS6
as the configuration of IIS6 is not affected by the web.server tag
elements. The majority of changes required in IIS6 have to be achieved
manually through metadatabase edits.
3740186
Chris McKee ChrisMcKee Recreated web.config files from vs base templates for MVC4/API/Webfor…
…ms and .net3 Webforms

- Recreated each template from scratch copying the modifications over from the original template.
- Commented out the entire rewrite tag and added a note about installing URLRewrite.
- Tested each config within its own project, the MVC4 + WebAPI are identical (as the WebAPI project still contains a standard MVC4 project, and WebAPI sits higher in the stack)
60d2a47
Chris McKee ChrisMcKee Pulled in Pull request 71 79c83f5
Chris McKee ChrisMcKee Fix for #53
ETag issue fix, added appropriate header removal tag and information
22945f3
Chris McKee ChrisMcKee Special IIS6 instructions as none of the web.config stuff is relevant…
… to them

Pretty sure I was asked for this in a previous commit, cant find it.
1007c16
Jul 25, 2012
Chris McKee ChrisMcKee Merge remote-tracking branch 'upstream/master' (HLBP Master Server Co…
…nfigs)

Conflicts:
	iis/dotnet 3/web.config

Fixed
19aa2e8
Chris McKee ChrisMcKee Revert "Merge remote-tracking branch 'upstream/master' (HLBP Master S…
…erver Configs)"

This reverts commit 19aa2e8, reversing
changes made to 1007c16.
154a79e
Chris McKee ChrisMcKee Cleanup mess made doing pointless merge 906c01d
This page is out of date. Refresh to see the latest.
5 README.md
Source Rendered
@@ -5,7 +5,8 @@
5 5
6 6 * **Apache** The .htaccess config for Apache is actually kept in the original [boilerplate repo](https://github.com/h5bp/html5-boilerplate/)
7 7 * **node.js**
8   -* **iis**
  8 +* **IIS 7+**
  9 +* **IIS 6 - see /iis/IIS6 README (IMPORTANT).txt**
9 10 * **nginx**
10 11 * **lighttpd**
11 12 * **Google AppEngine**
@@ -16,5 +17,5 @@
16 17
17 18 * [Guide to .htaccess](https://github.com/h5bp/html5-boilerplate/wiki/htaccess) for apache
18 19 * [Guide to node.js](https://github.com/h5bp/server-configs/wiki/node.js) for node.js
19   -* [Guide to web.config](https://github.com/h5bp/server-configs/wiki/web.config) for IIS
  20 +* [Guide to web.config](https://github.com/h5bp/server-configs/wiki/web.config) for IIS 7+
20 21 * [Guide to nginx.conf](https://github.com/h5bp/server-configs/wiki/nginx.conf) for nginx
219 iis/IIS6 README (IMPORTANT).txt
... ... @@ -0,0 +1,219 @@
  1 +##################################
  2 +# IIS 6 NOTICE
  3 +##################################
  4 +
  5 +If your using IIS6 you shouldn't use the supplied web.config files.
  6 +Instead your changes will need to be made on the server itself.
  7 +
  8 +Contents:
  9 +
  10 +1. Enabling GZip/Deflate
  11 +2. Adding/removing Headers
  12 +2.1 Removing E-Tags
  13 +2.2 Security Headers
  14 +2.3 Other Headers
  15 +
  16 +##################################
  17 +
  18 +1. Enabling GZip/Deflate (IIS6 Server 2003)
  19 +
  20 +In order to enable GZip you will need to enable metabase editing.
  21 +This can be done as per the instructions here...
  22 +http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1d1e5de4-fd63-40cd-bc5d-c20521548eed.mspx?mfr=true
  23 +
  24 +...
  25 +
  26 +Once you have navigated to the file location (C:\WINDOWS\SYSTEM32\INETSRV) make a copy of
  27 +the file metabase.xml to your desktop or somewhere safe.
  28 +
  29 +Open the file, and search for IIsCompressionScheme
  30 +Replace the IISCompressionScheme and Schemes XML With This:
  31 +(or alternatively you can see it here: https://gist.github.com/2136507 )
  32 +
  33 +
  34 +<IIsCompressionScheme Location ="/LM/W3SVC/Filters/Compression/deflate"
  35 + HcCompressionDll="%windir%\system32\inetsrv\gzip.dll"
  36 + HcCreateFlags="0"
  37 + HcDoDynamicCompression="TRUE"
  38 + HcDoOnDemandCompression="TRUE"
  39 + HcDoStaticCompression="TRUE"
  40 + HcDynamicCompressionLevel="9"
  41 + HcFileExtensions="htm
  42 + html
  43 + xml
  44 + css
  45 + txt
  46 + rdf
  47 + js
  48 + svg
  49 + ttf
  50 + otf
  51 + eot"
  52 + HcOnDemandCompLevel="10"
  53 + HcPriority="1"
  54 + HcScriptFileExtensions="asp
  55 + cgi
  56 + exe
  57 + dll
  58 + aspx
  59 + asmx
  60 + axd"
  61 + >
  62 +</IIsCompressionScheme>
  63 +<IIsCompressionScheme Location ="/LM/W3SVC/Filters/Compression/gzip"
  64 + HcCompressionDll="%windir%\system32\inetsrv\gzip.dll"
  65 + HcCreateFlags="1"
  66 + HcDoDynamicCompression="TRUE"
  67 + HcDoOnDemandCompression="TRUE"
  68 + HcDoStaticCompression="TRUE"
  69 + HcDynamicCompressionLevel="9"
  70 + HcFileExtensions="htm
  71 + html
  72 + xml
  73 + css
  74 + txt
  75 + rdf
  76 + js
  77 + svg
  78 + ttf
  79 + otf
  80 + eot"
  81 + HcOnDemandCompLevel="10"
  82 + HcPriority="1"
  83 + HcScriptFileExtensions="asp
  84 + cgi
  85 + exe
  86 + dll
  87 + aspx
  88 + asmx
  89 + axd"
  90 + >
  91 +</IIsCompressionScheme>
  92 +<IIsCompressionSchemes Location ="/LM/W3SVC/Filters/Compression/Parameters"
  93 + HcCacheControlHeader="max-age=86400"
  94 + HcCompressionBufferSize="8192"
  95 + HcCompressionDirectory="C:\IIS Temporary Compressed Files"
  96 + HcDoDiskSpaceLimiting="FALSE"
  97 + HcDoDynamicCompression="TRUE"
  98 + HcDoOnDemandCompression="TRUE"
  99 + HcDoStaticCompression="TRUE"
  100 + HcExpiresHeader="Wed, 01 Jan 1997 12:00:00 GMT"
  101 + HcFilesDeletedPerDiskFree="256"
  102 + HcIoBufferSize="8192"
  103 + HcMaxDiskSpaceUsage="99614720"
  104 + HcMaxQueueLength="1000"
  105 + HcMinFileSizeForComp="1"
  106 + HcNoCompressionForHttp10="FALSE"
  107 + HcNoCompressionForProxies="FALSE"
  108 + HcNoCompressionForRange="FALSE"
  109 + HcSendCacheHeaders="FALSE"
  110 + >
  111 +</IIsCompressionSchemes>
  112 +
  113 +
  114 +Note: Never set the compression value to 10; though this might seem a sensible thing to do the CPU load increase per-request is quite large, whilst the actual compression difference is negligble.
  115 +
  116 +
  117 +##################################
  118 +2. Adding/Removing Headers
  119 +##################################
  120 +
  121 +2.1 Removing ETags
  122 +--------------------
  123 +
  124 +Remove ETags from the Http Response by setting a blank ETag header. In IIS Manager, right click Web Site (or any folder), click Properties, select HttpHeaders tab, add Custom Http Header called ETag but leave the value blank
  125 +
  126 +
  127 +2.2 Security Headers
  128 +--------------------
  129 +
  130 +Using the method above you can add any header; here are a few other common ones that are in the web.config of H5BP project configs.
  131 +
  132 +For readability I'll seperate the KEY from the VALUE using a COLON (e.g. KEY : VALUE)
  133 +
  134 +
  135 +2.2.1 Access-Control-Allow-Origin
  136 +---------------------------------
  137 +Rationale:
  138 +The 'Access Control Allow Origin' HTTP header is used to control which sites are allowed to bypass same origin policies and send cross-origin requests.
  139 +
  140 +Secure configuration: Either do not set this header, or return the 'Access-Control-Allow-Origin'
  141 + header restricting it to only a trusted set of sites.
  142 +Reference - http://enable-cors.org/
  143 +
  144 +
  145 +Allow All -
  146 +Access-Control-Allow-Origin : *
  147 +
  148 +
  149 +
  150 +2.2.2 Cache-Control
  151 +-------------------
  152 +Rationale:
  153 +The 'Cache-Control' response header controls how pages can be cached either by proxies or the users browser. This response header can provide enhanced privacy by not caching sensitive pages in the users browser cache.
  154 +
  155 +Cache-Control : no-store, no-cache
  156 +
  157 +
  158 +
  159 +2.2.3 Strict Transport Security
  160 +-------------------------------
  161 +Rationale:
  162 +The HTTP Strict Transport Security header is used to control if the browser is allowed to only access a site over a secure connection and how long to remember the server response for, forcing continued usage.
  163 +
  164 +Note* Currently a draft standard which only Firefox and Chrome support. But is supported by sites like PayPal.
  165 +
  166 +Strict-Transport-Security : max-age=15768000
  167 +
  168 +
  169 +2.2.4 X-Frame Options
  170 +---------------------
  171 +Rationale:
  172 +The X-Frame-Options header indicates whether a browser should be allowed to render a page within a frame or iframe. The valid options are DENY (deny allowing the page to exist in a frame)
  173 + or SAMEORIGIN (allow framing but only from the originating host)
  174 + Without this option set the site is at a higher risk of click-jacking.
  175 +
  176 +X-Frame-Options : SAMEORIGIN
  177 +
  178 +
  179 +2.2.5 X-XSS Protection
  180 +----------------------
  181 +Rationale:
  182 +The X-XSS-Protection header is used by Internet Explorer version 8+
  183 + The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
  184 +If enabled, without 'mode=block', there is an increased risk that otherwise non-exploitable cross-site scripting vulnerabilities may potentially become exploitable
  185 +
  186 +X-XSS-Protection:1; mode=block
  187 +
  188 +
  189 +2.2.6 Manual Removal
  190 +----------------------
  191 +You can manually remove X-Powered-By via the same panel you add the headers.
  192 +A tiny bit of 'security' by obscurity.
  193 +
  194 +
  195 +
  196 +2.3 Other Headers
  197 +----------------------
  198 +
  199 +2.3.3 X-UA-Compatible
  200 +----------------------
  201 +
  202 +Force the latest IE version, in various cases when it may fall back to IE7 mode
  203 + github.com/rails/rails/commit/123eb25#commitcomment-118920
  204 +
  205 +
  206 +
  207 +X-UA-Compatible : IE=Edge,chrome=1
  208 +
  209 +
  210 +2.3.3 P3P (handy when your usign Facebook API/Connect)
  211 +------------------------------------------------------
  212 +Allow cookies to be set from iframes (for IE only)
  213 +
  214 +Ref: http://stackoverflow.com/questions/6241626/facebook-ie-and-p3p
  215 +
  216 +If needed, specify a path or regex in the Location directive
  217 +
  218 +P3P : policyref=&quot;/w3c/p3p.xml&quot;, CP=&quot;IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT&quot;
  219 +
152 iis/web.config → iis/dotnet 3/web.config
... ... @@ -1,5 +1,4 @@
1 1 <?xml version="1.0" encoding="UTF-8"?>
2   -<!-- web.config contributed to html5boilerplate by Velir : velir.com -->
3 2 <configuration>
4 3 <configSections>
5 4 <sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
@@ -17,6 +16,8 @@
17 16 <appSettings />
18 17 <connectionStrings />
19 18 <system.web>
  19 + <!-- Security through obscurity, removes X-AspNet-Version HTTP header from the response -->
  20 + <httpRuntime enableVersionHeader="false" />
20 21 <!--
21 22 Set compilation debug="true" to insert debugging
22 23 symbols into the compiled page. Because this
@@ -47,6 +48,7 @@
47 48 <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
48 49 <error statusCode="404" redirect="404.html" />
49 50 </customErrors>
  51 +
50 52 <pages>
51 53 <controls>
52 54 <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
@@ -64,19 +66,7 @@
64 66 <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
65 67 </httpModules>
66 68 </system.web>
67   - <system.codedom>
68   - <compilers>
69   - <compiler language="c#;cs;csharp" extension=".cs" warningLevel="4" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
70   - <providerOption name="CompilerVersion" value="v3.5" />
71   - <providerOption name="WarnAsError" value="false" />
72   - </compiler>
73   - <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" warningLevel="4" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
74   - <providerOption name="CompilerVersion" value="v3.5" />
75   - <providerOption name="OptionInfer" value="true" />
76   - <providerOption name="WarnAsError" value="false" />
77   - </compiler>
78   - </compilers>
79   - </system.codedom>
  69 +
80 70 <system.webServer>
81 71 <!-- GZip static file content. Overrides the server default which only compresses static files over 2700 bytes -->
82 72 <httpCompression directory="%SystemDrive%\websites\_compressed" minFileSizeForComp="1024">
@@ -182,13 +172,76 @@
182 172 </staticContent>
183 173 <httpProtocol>
184 174 <customHeaders>
  175 +
  176 + <!--#### SECURITY Related Headers ###-->
  177 + <!--
  178 + # Access-Control-Allow-Origin
  179 + The 'Access Control Allow Origin' HTTP header is used to control which
  180 + sites are allowed to bypass same origin policies and send cross-origin requests.
185 181
186   - <!--
187   - http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
188   - Uncomment to serve cross-domain ajax requests
  182 + Secure configuration: Either do not set this header, or return the 'Access-Control-Allow-Origin'
  183 + header restricting it to only a trusted set of sites.
  184 + http://enable-cors.org/
189 185
190 186 <add name="Access-Control-Allow-Origin" value="*" />
191 187 -->
  188 +
  189 + <!--
  190 + # Cache-Control
  191 + The 'Cache-Control' response header controls how pages can be cached
  192 + either by proxies or the users browser.
  193 + This response header can provide enhanced privacy by not caching
  194 + sensitive pages in the users browser cache.
  195 +
  196 + <add name="Cache-Control" value="no-store, no-cache"/>
  197 + -->
  198 +
  199 + <!--
  200 + # Strict-Transport-Security
  201 + The HTTP Strict Transport Security header is used to control
  202 + if the browser is allowed to only access a site over a secure connection
  203 + and how long to remember the server response for, forcing continued usage.
  204 + Note* Currently a draft standard which only Firefox and Chrome support. But is supported by sites like PayPal.
  205 + <add name="Strict-Transport-Security" value="max-age=15768000"/>
  206 + -->
  207 +
  208 + <!--
  209 + # X-Frame-Options
  210 + The X-Frame-Options header indicates whether a browser should be allowed
  211 + to render a page within a frame or iframe.
  212 + The valid options are DENY (deny allowing the page to exist in a frame)
  213 + or SAMEORIGIN (allow framing but only from the originating host)
  214 + Without this option set the site is at a higher risk of click-jacking.
  215 +
  216 + <add name="X-Frame-Options" value="SAMEORIGIN" />
  217 + -->
  218 +
  219 + <!--
  220 + # X-XSS-Protection
  221 + The X-XSS-Protection header is used by Internet Explorer version 8+
  222 + The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
  223 + If enabled, without 'mode=block', there is an increased risk that
  224 + otherwise non-exploitable cross-site scripting vulnerabilities may potentially become exploitable
  225 +
  226 + <add name="X-XSS-Protection" value="1; mode=block"/>
  227 + -->
  228 +
  229 + <!-- A little extra security (by obscurity) -->
  230 + <remove name="X-Powered-By" />
  231 +
  232 + <!--//#### SECURITY Related Headers ###-->
  233 +
  234 + <!--
  235 + # E-TAGS
  236 + E-Tags are actually quite useful in cache management especially if you have a front-end caching server
  237 + such as Varnish. http://en.wikipedia.org/wiki/HTTP_ETag / http://developer.yahoo.com/performance/rules.html#etags
  238 + But in load balancing and simply most cases ETags are mishandled in IIS; and it can be advantageous to remove them.
  239 + This is simply done by overriding the default server header with an empty tag.
  240 + See http://bytestopshere.wordpress.com/2009/02/02/disable-remove-etags-on-iis-6-to-improve-performance/
  241 +
  242 + <add name="E-TAG" value="" />
  243 + -->
  244 +
192 245 <!--
193 246 Force the latest IE version, in various cases when it may fall back to IE7 mode
194 247 github.com/rails/rails/commit/123eb25#commitcomment-118920
@@ -201,28 +254,27 @@
201 254
202 255 <add name="P3P" value="policyref=&quot;/w3c/p3p.xml&quot;, CP=&quot;IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT&quot;" />
203 256 -->
204   -
205   - <!-- A little extra security (by obscurity) -->
206   - <remove name="X-Powered-By" />
207   -
208 257 </customHeaders>
209 258 </httpProtocol>
210   -
211   -
212   -
  259 +
  260 +
  261 + <!--
213 262 <rewrite>
214 263 <rules>
215   - <!--
216   - Remove/force the WWW from the URL.
217   - Requires IIS Rewrite module http://learn.iis.net/page.aspx/460/using-the-url-rewrite-module/
218   - Configuration lifted from http://nayyeri.net/remove-www-prefix-from-urls-with-url-rewrite-module-for-iis-7-0
219   -
220   - ** Important Note
221   - using a non-www version of a webpage will set cookies for the whole domain making cookieless domains
222   - (eg. fast cdn-like access of static resources like css, js and images) impossible.
223   -
224   - # IMPORTANT: THERE ARE TWO RULES LISTED. NEVER USE BOTH RULES AT THE SAME TIME!
225   -
  264 +
  265 + Remove/force the WWW from the URL.
  266 + Requires IIS Rewrite module http://learn.iis.net/page.aspx/460/using-the-url-rewrite-module/
  267 + Configuration lifted from http://nayyeri.net/remove-www-prefix-from-urls-with-url-rewrite-module-for-iis-7-0
  268 +
  269 + NOTE* You need to install the IIS URL Rewriting extension (Install via the Web Platform Installer)
  270 + http://www.microsoft.com/web/downloads/platform.aspx
  271 +
  272 + ** Important Note
  273 + using a non-www version of a webpage will set cookies for the whole domain making cookieless domains
  274 + (eg. fast cdn-like access of static resources like css, js and images) impossible.
  275 +
  276 + # IMPORTANT: THERE ARE TWO RULES LISTED. NEVER USE BOTH RULES AT THE SAME TIME!
  277 +
226 278 <rule name="Remove WWW" stopProcessing="true">
227 279 <match url="^(.*)$" />
228 280 <conditions>
@@ -237,27 +289,27 @@
237 289 </conditions>
238 290 <action type="Redirect" url="http://www.example.com/{R:0}" redirectType="Permanent" />
239 291 </rule>
240   - -->
241   - <!--
242   - ----------------------------------------------------------------------
243   - Built-in filename-based cache busting
244   - ----------------------------------------------------------------------
  292 + -->
  293 + <!--
  294 +
  295 + # Built-in filename-based cache busting
  296 +
245 297
246   - If you're not using the build script to manage your filename version revving,
247   - you might want to consider enabling this, which will route requests for
248   - /css/style.20110203.css to /css/style.css
  298 + If you're not using the build script to manage your filename version revving,
  299 + you might want to consider enabling this, which will route requests for
  300 + /css/style.20110203.css to /css/style.css
249 301
250   - To understand why this is important and a better idea than all.css?v1231,
251   - read: github.com/h5bp/html5-boilerplate/wiki/Version-Control-with-Cachebusting
  302 + To understand why this is important and a better idea than all.css?v1231,
  303 + read: github.com/h5bp/html5-boilerplate/wiki/Version-Control-with-Cachebusting
252 304
253   - <rule name="Cachebusting">
  305 + <rule name="Cachebusting">
254 306 <match url="^(.+)\.\d+(\.(js|css|png|jpg|gif)$)" />
255 307 <action type="Rewrite" url="{R:1}{R:2}" />
256 308 </rule>
257   - -->
  309 +
258 310 </rules>
259   - </rewrite>
260   -
  311 + </rewrite>-->
  312 +
261 313 </system.webServer>
262 314 <runtime>
263 315 <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
@@ -271,4 +323,4 @@
271 323 </dependentAssembly>
272 324 </assemblyBinding>
273 325 </runtime>
274   -</configuration>
  326 +</configuration>
307 iis/dotnet 4/mvc4 & mvc4api/web.config
... ... @@ -0,0 +1,307 @@
  1 +<?xml version="1.0" encoding="UTF-8"?>
  2 +<configuration>
  3 + <configSections>
  4 + </configSections>
  5 + <connectionStrings />
  6 + <appSettings>
  7 + <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
  8 + <add key="webpages:Version" value="2.0.0.0" />
  9 + <add key="webpages:Enabled" value="false" />
  10 + <add key="PreserveLoginUrl" value="true" />
  11 + <add key="ClientValidationEnabled" value="true" />
  12 + <add key="UnobtrusiveJavaScriptEnabled" value="true" />
  13 + </appSettings>
  14 + <system.web>
  15 + <!--
  16 + Set compilation debug="true" to insert debugging
  17 + symbols into the compiled page. Because this
  18 + affects performance, set this value to true only
  19 + during development.
  20 + -->
  21 + <compilation debug="true" targetFramework="4.0" />
  22 +
  23 + <!-- Security through obscurity, removes X-AspNet-Version HTTP header from the response -->
  24 + <httpRuntime enableVersionHeader="false" />
  25 +
  26 + <authentication mode="Windows" />
  27 +
  28 + <pages>
  29 + <namespaces>
  30 + <add namespace="System.Web.Helpers" />
  31 + <add namespace="System.Web.Mvc" />
  32 + <add namespace="System.Web.Mvc.Ajax" />
  33 + <add namespace="System.Web.Mvc.Html" />
  34 + <add namespace="System.Web.Optimization" />
  35 + <add namespace="System.Web.Routing" />
  36 + <add namespace="System.Web.WebPages" />
  37 + </namespaces>
  38 + </pages>
  39 + <!--
  40 + The <customErrors> section enables configuration
  41 + of what to do if/when an unhandled error occurs
  42 + during the execution of a request. Specifically,
  43 + it enables developers to configure html error pages
  44 + to be displayed in place of a error stack trace.
  45 +
  46 + <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
  47 + <error statusCode="403" redirect="NoAccess.htm" />
  48 + <error statusCode="404" redirect="FileNotFound.htm" />
  49 + </customErrors>
  50 + -->
  51 + <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
  52 + <error statusCode="404" redirect="404.html" />
  53 + </customErrors>
  54 +
  55 + <sessionState mode="InProc" customProvider="DefaultSessionProvider">
  56 + <providers>
  57 + <add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
  58 + </providers>
  59 + </sessionState>
  60 + </system.web>
  61 +
  62 + <system.webServer>
  63 + <!-- GZip static file content. Overrides the server default which only compresses static files over 2700 bytes -->
  64 + <httpCompression directory="%SystemDrive%\websites\_compressed" minFileSizeForComp="1024">
  65 + <scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
  66 + <staticTypes>
  67 + <add mimeType="text/*" enabled="true" />
  68 + <add mimeType="message/*" enabled="true" />
  69 + <add mimeType="application/javascript" enabled="true" />
  70 + <add mimeType="application/json" enabled="true" />
  71 + <add mimeType="*/*" enabled="false" />
  72 + </staticTypes>
  73 + </httpCompression>
  74 + <directoryBrowse enabled="false" />
  75 + <validation validateIntegratedModeConfiguration="false" />
  76 + <modules runAllManagedModulesForAllRequests="true" />
  77 + <urlCompression doStaticCompression="true" />
  78 + <staticContent>
  79 + <!-- Set expire headers to 30 days for static content-->
  80 + <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" />
  81 + <!-- use utf-8 encoding for anything served text/plain or text/html -->
  82 + <remove fileExtension=".css" />
  83 + <mimeMap fileExtension=".css" mimeType="text/css" />
  84 + <remove fileExtension=".js" />
  85 + <mimeMap fileExtension=".js" mimeType="application/javascript" />
  86 + <remove fileExtension=".json" />
  87 + <mimeMap fileExtension=".json" mimeType="application/json" />
  88 + <remove fileExtension=".rss" />
  89 + <mimeMap fileExtension=".rss" mimeType="application/rss+xml; charset=UTF-8" />
  90 + <remove fileExtension=".html" />
  91 + <mimeMap fileExtension=".html" mimeType="text/html; charset=UTF-8" />
  92 + <remove fileExtension=".xml" />
  93 + <mimeMap fileExtension=".xml" mimeType="application/xml; charset=UTF-8" />
  94 + <!-- HTML5 Audio/Video mime types-->
  95 + <remove fileExtension=".mp3" />
  96 + <mimeMap fileExtension=".mp3" mimeType="audio/mpeg" />
  97 + <remove fileExtension=".mp4" />
  98 + <mimeMap fileExtension=".mp4" mimeType="video/mp4" />
  99 + <remove fileExtension=".ogg" />
  100 + <mimeMap fileExtension=".ogg" mimeType="audio/ogg" />
  101 + <remove fileExtension=".ogv" />
  102 + <mimeMap fileExtension=".ogv" mimeType="video/ogg" />
  103 + <remove fileExtension=".webm" />
  104 + <mimeMap fileExtension=".webm" mimeType="video/webm" />
  105 + <!-- Proper svg serving. Required for svg webfonts on iPad -->
  106 + <remove fileExtension=".svg" />
  107 + <mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
  108 + <remove fileExtension=".svgz" />
  109 + <mimeMap fileExtension=".svgz" mimeType="image/svg+xml" />
  110 + <!-- HTML4 Web font mime types -->
  111 + <!-- Remove default IIS mime type for .eot which is application/octet-stream -->
  112 + <remove fileExtension=".eot" />
  113 + <mimeMap fileExtension=".eot" mimeType="application/vnd.ms-fontobject" />
  114 + <remove fileExtension=".ttf" />
  115 + <mimeMap fileExtension=".ttf" mimeType="application/x-font-ttf" />
  116 + <remove fileExtension=".ttc" />
  117 + <mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
  118 + <remove fileExtension=".otf" />
  119 + <mimeMap fileExtension=".otf" mimeType="font/otf" />
  120 + <remove fileExtension=".woff" />
  121 + <mimeMap fileExtension=".woff" mimeType="application/x-font-woff" />
  122 + <remove fileExtension=".crx" />
  123 + <mimeMap fileExtension=".crx" mimeType="application/x-chrome-extension" />
  124 + <remove fileExtension=".xpi" />
  125 + <mimeMap fileExtension=".xpi" mimeType="application/x-xpinstall" />
  126 + <remove fileExtension=".safariextz" />
  127 + <mimeMap fileExtension=".safariextz" mimeType="application/octet-stream" />
  128 + <!-- Flash Video mime types-->
  129 + <remove fileExtension=".flv" />
  130 + <mimeMap fileExtension=".flv" mimeType="video/x-flv" />
  131 + <remove fileExtension=".f4v" />
  132 + <mimeMap fileExtension=".f4v" mimeType="video/mp4" />
  133 + <!-- Asorted types -->
  134 + <remove fileExtension=".ico" />
  135 + <mimeMap fileExtension=".ico" mimeType="image/x-icon" />
  136 + <remove fileExtension=".webp" />
  137 + <mimeMap fileExtension=".webp" mimeType="image/webp" />
  138 + <remove fileExtension=".appcache" />
  139 + <mimeMap fileExtension=".appcache" mimeType="text/cache-manifest" />
  140 + <remove fileExtension=".manifest" />
  141 + <mimeMap fileExtension=".manifest" mimeType="text/cache-manifest" />
  142 + <remove fileExtension=".htc" />
  143 + <mimeMap fileExtension=".htc" mimeType="text/x-component" />
  144 + <remove fileExtension=".crx" />
  145 + <mimeMap fileExtension=".crx" mimeType="application/x-chrome-extension" />
  146 + <remove fileExtension=".xpi" />
  147 + <mimeMap fileExtension=".xpi" mimeType="application/x-xpinstall" />
  148 + <remove fileExtension=".safariextz" />
  149 + <mimeMap fileExtension=".safariextz" mimeType="application/octet-stream" />
  150 + <remove fileExtension=".vcf" />
  151 + <mimeMap fileExtension=".vcf" mimeType="text/x-vcard" />
  152 + </staticContent>
  153 + <httpProtocol>
  154 + <customHeaders>
  155 +
  156 + <!--#### SECURITY Related Headers ###-->
  157 + <!--
  158 + # Access-Control-Allow-Origin
  159 + The 'Access Control Allow Origin' HTTP header is used to control which
  160 + sites are allowed to bypass same origin policies and send cross-origin requests.
  161 +
  162 + Secure configuration: Either do not set this header, or return the 'Access-Control-Allow-Origin'
  163 + header restricting it to only a trusted set of sites.
  164 + http://enable-cors.org/
  165 +
  166 + <add name="Access-Control-Allow-Origin" value="*" />
  167 + -->
  168 +
  169 + <!--
  170 + # Cache-Control
  171 + The 'Cache-Control' response header controls how pages can be cached
  172 + either by proxies or the users browser.
  173 + This response header can provide enhanced privacy by not caching
  174 + sensitive pages in the users browser cache.
  175 +
  176 + <add name="Cache-Control" value="no-store, no-cache"/>
  177 + -->
  178 +
  179 + <!--
  180 + # Strict-Transport-Security
  181 + The HTTP Strict Transport Security header is used to control
  182 + if the browser is allowed to only access a site over a secure connection
  183 + and how long to remember the server response for, forcing continued usage.
  184 + Note* Currently a draft standard which only Firefox and Chrome support. But is supported by sites like PayPal.
  185 + <add name="Strict-Transport-Security" value="max-age=15768000"/>
  186 + -->
  187 +
  188 + <!--
  189 + # X-Frame-Options
  190 + The X-Frame-Options header indicates whether a browser should be allowed
  191 + to render a page within a frame or iframe.
  192 + The valid options are DENY (deny allowing the page to exist in a frame)
  193 + or SAMEORIGIN (allow framing but only from the originating host)
  194 + Without this option set the site is at a higher risk of click-jacking.
  195 +
  196 + <add name="X-Frame-Options" value="SAMEORIGIN" />
  197 + -->
  198 +
  199 + <!--
  200 + # X-XSS-Protection
  201 + The X-XSS-Protection header is used by Internet Explorer version 8+
  202 + The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
  203 + If enabled, without 'mode=block', there is an increased risk that
  204 + otherwise non-exploitable cross-site scripting vulnerabilities may potentially become exploitable
  205 +
  206 + <add name="X-XSS-Protection" value="1; mode=block"/>
  207 + -->
  208 +
  209 + <!-- A little extra security (by obscurity) -->
  210 + <remove name="X-Powered-By" />
  211 +
  212 + <!--//#### SECURITY Related Headers ###-->
  213 +
  214 + <!--
  215 + # E-TAGS
  216 + E-Tags are actually quite useful in cache management especially if you have a front-end caching server
  217 + such as Varnish. http://en.wikipedia.org/wiki/HTTP_ETag / http://developer.yahoo.com/performance/rules.html#etags
  218 + But in load balancing and simply most cases ETags are mishandled in IIS; and it can be advantageous to remove them.
  219 + This is simply done by overriding the default server header with an empty tag.
  220 + See http://bytestopshere.wordpress.com/2009/02/02/disable-remove-etags-on-iis-6-to-improve-performance/
  221 +
  222 + <add name="E-TAG" value="" />
  223 + -->
  224 +
  225 + <!--
  226 + Force the latest IE version, in various cases when it may fall back to IE7 mode
  227 + github.com/rails/rails/commit/123eb25#commitcomment-118920
  228 + Use ChromeFrame if it's installed for a better experience for the poor IE folk
  229 + -->
  230 + <add name="X-UA-Compatible" value="IE=Edge,chrome=1" />
  231 + <!--
  232 + Allow cookies to be set from iframes (for IE only)
  233 + If needed, uncomment and specify a path or regex in the Location directive
  234 +
  235 + <add name="P3P" value="policyref=&quot;/w3c/p3p.xml&quot;, CP=&quot;IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT&quot;" />
  236 + -->
  237 + </customHeaders>
  238 + </httpProtocol>
  239 +
  240 + <!--
  241 + <rewrite>
  242 + <rules>
  243 +
  244 + Remove/force the WWW from the URL.
  245 + Requires IIS Rewrite module http://learn.iis.net/page.aspx/460/using-the-url-rewrite-module/
  246 + Configuration lifted from http://nayyeri.net/remove-www-prefix-from-urls-with-url-rewrite-module-for-iis-7-0
  247 +
  248 + NOTE* You need to install the IIS URL Rewriting extension (Install via the Web Platform Installer)
  249 + http://www.microsoft.com/web/downloads/platform.aspx
  250 +
  251 + ** Important Note
  252 + using a non-www version of a webpage will set cookies for the whole domain making cookieless domains
  253 + (eg. fast cdn-like access of static resources like css, js and images) impossible.
  254 +
  255 + # IMPORTANT: THERE ARE TWO RULES LISTED. NEVER USE BOTH RULES AT THE SAME TIME!
  256 +
  257 + <rule name="Remove WWW" stopProcessing="true">
  258 + <match url="^(.*)$" />
  259 + <conditions>
  260 + <add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" />
  261 + </conditions>
  262 + <action type="Redirect" url="http://example.com{PATH_INFO}" redirectType="Permanent" />
  263 + </rule>
  264 + <rule name="Force WWW" stopProcessing="true">
  265 + <match url=".*" />
  266 + <conditions>
  267 + <add input="{HTTP_HOST}" pattern="^example.com$" />
  268 + </conditions>
  269 + <action type="Redirect" url="http://www.example.com/{R:0}" redirectType="Permanent" />
  270 + </rule>
  271 + -->
  272 + <!--
  273 + ### Built-in filename-based cache busting
  274 +
  275 + If you're not using the build script to manage your filename version revving,
  276 + you might want to consider enabling this, which will route requests for
  277 + /css/style.20110203.css to /css/style.css
  278 +
  279 + To understand why this is important and a better idea than all.css?v1231,
  280 + read: github.com/h5bp/html5-boilerplate/wiki/Version-Control-with-Cachebusting
  281 +
  282 + <rule name="Cachebusting">
  283 + <match url="^(.+)\.\d+(\.(js|css|png|jpg|gif)$)" />
  284 + <action type="Rewrite" url="{R:1}{R:2}" />
  285 + </rule>
  286 +
  287 + </rules>
  288 + </rewrite>-->
  289 +
  290 + </system.webServer>
  291 + <runtime>
  292 + <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
  293 + <dependentAssembly>
  294 + <assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35" />
  295 + <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="2.0.0.0" />
  296 + </dependentAssembly>
  297 + <dependentAssembly>
  298 + <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
  299 + <bindingRedirect oldVersion="1.0.0.0-4.0.0.0" newVersion="4.0.0.0" />
  300 + </dependentAssembly>
  301 + <dependentAssembly>
  302 + <assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35" />
  303 + <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="2.0.0.0" />
  304 + </dependentAssembly>
  305 + </assemblyBinding>
  306 + </runtime>
  307 +</configuration>
273 iis/dotnet 4/webforms/web.config
... ... @@ -0,0 +1,273 @@
  1 +<?xml version="1.0" encoding="UTF-8"?>
  2 +<configuration>
  3 + <configSections>
  4 + </configSections>
  5 + <connectionStrings />
  6 +
  7 + <system.web>
  8 + <!--
  9 + Set compilation debug="true" to insert debugging
  10 + symbols into the compiled page. Because this
  11 + affects performance, set this value to true only
  12 + during development.
  13 + -->
  14 + <compilation debug="true" targetFramework="4.0" />
  15 +
  16 + <!-- Security through obscurity, removes X-AspNet-Version HTTP header from the response -->
  17 + <httpRuntime enableVersionHeader="false" />
  18 +
  19 + <authentication mode="Windows" />
  20 +
  21 + <!--
  22 + The <customErrors> section enables configuration
  23 + of what to do if/when an unhandled error occurs
  24 + during the execution of a request. Specifically,
  25 + it enables developers to configure html error pages
  26 + to be displayed in place of a error stack trace.
  27 +
  28 + <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
  29 + <error statusCode="403" redirect="NoAccess.htm" />
  30 + <error statusCode="404" redirect="FileNotFound.htm" />
  31 + </customErrors>
  32 + -->
  33 + <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
  34 + <error statusCode="404" redirect="404.html" />
  35 + </customErrors>
  36 +
  37 + <sessionState mode="InProc" customProvider="DefaultSessionProvider">
  38 + <providers>
  39 + <add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
  40 + </providers>
  41 + </sessionState>
  42 + </system.web>
  43 +
  44 + <system.webServer>
  45 + <!-- GZip static file content. Overrides the server default which only compresses static files over 2700 bytes -->
  46 + <httpCompression directory="%SystemDrive%\websites\_compressed" minFileSizeForComp="1024">
  47 + <scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
  48 + <staticTypes>
  49 + <add mimeType="text/*" enabled="true" />
  50 + <add mimeType="message/*" enabled="true" />
  51 + <add mimeType="application/javascript" enabled="true" />
  52 + <add mimeType="application/json" enabled="true" />
  53 + <add mimeType="*/*" enabled="false" />
  54 + </staticTypes>
  55 + </httpCompression>
  56 + <directoryBrowse enabled="false" />
  57 + <validation validateIntegratedModeConfiguration="false" />
  58 + <modules runAllManagedModulesForAllRequests="true" />
  59 + <urlCompression doStaticCompression="true" />
  60 + <staticContent>
  61 + <!-- Set expire headers to 30 days for static content-->
  62 + <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" />
  63 + <!-- use utf-8 encoding for anything served text/plain or text/html -->
  64 + <remove fileExtension=".css" />
  65 + <mimeMap fileExtension=".css" mimeType="text/css" />
  66 + <remove fileExtension=".js" />
  67 + <mimeMap fileExtension=".js" mimeType="application/javascript" />
  68 + <remove fileExtension=".json" />
  69 + <mimeMap fileExtension=".json" mimeType="application/json" />
  70 + <remove fileExtension=".rss" />
  71 + <mimeMap fileExtension=".rss" mimeType="application/rss+xml; charset=UTF-8" />
  72 + <remove fileExtension=".html" />
  73 + <mimeMap fileExtension=".html" mimeType="text/html; charset=UTF-8" />
  74 + <remove fileExtension=".xml" />
  75 + <mimeMap fileExtension=".xml" mimeType="application/xml; charset=UTF-8" />
  76 + <!-- HTML5 Audio/Video mime types-->
  77 + <remove fileExtension=".mp3" />
  78 + <mimeMap fileExtension=".mp3" mimeType="audio/mpeg" />
  79 + <remove fileExtension=".mp4" />
  80 + <mimeMap fileExtension=".mp4" mimeType="video/mp4" />
  81 + <remove fileExtension=".ogg" />
  82 + <mimeMap fileExtension=".ogg" mimeType="audio/ogg" />
  83 + <remove fileExtension=".ogv" />
  84 + <mimeMap fileExtension=".ogv" mimeType="video/ogg" />
  85 + <remove fileExtension=".webm" />
  86 + <mimeMap fileExtension=".webm" mimeType="video/webm" />
  87 + <!-- Proper svg serving. Required for svg webfonts on iPad -->
  88 + <remove fileExtension=".svg" />
  89 + <mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
  90 + <remove fileExtension=".svgz" />
  91 + <mimeMap fileExtension=".svgz" mimeType="image/svg+xml" />
  92 + <!-- HTML4 Web font mime types -->
  93 + <!-- Remove default IIS mime type for .eot which is application/octet-stream -->
  94 + <remove fileExtension=".eot" />
  95 + <mimeMap fileExtension=".eot" mimeType="application/vnd.ms-fontobject" />
  96 + <remove fileExtension=".ttf" />
  97 + <mimeMap fileExtension=".ttf" mimeType="application/x-font-ttf" />
  98 + <remove fileExtension=".ttc" />
  99 + <mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
  100 + <remove fileExtension=".otf" />
  101 + <mimeMap fileExtension=".otf" mimeType="font/otf" />
  102 + <remove fileExtension=".woff" />
  103 + <mimeMap fileExtension=".woff" mimeType="application/x-font-woff" />
  104 + <remove fileExtension=".crx" />
  105 + <mimeMap fileExtension=".crx" mimeType="application/x-chrome-extension" />
  106 + <remove fileExtension=".xpi" />
  107 + <mimeMap fileExtension=".xpi" mimeType="application/x-xpinstall" />
  108 + <remove fileExtension=".safariextz" />
  109 + <mimeMap fileExtension=".safariextz" mimeType="application/octet-stream" />
  110 + <!-- Flash Video mime types-->
  111 + <remove fileExtension=".flv" />
  112 + <mimeMap fileExtension=".flv" mimeType="video/x-flv" />
  113 + <remove fileExtension=".f4v" />
  114 + <mimeMap fileExtension=".f4v" mimeType="video/mp4" />
  115 + <!-- Asorted types -->
  116 + <remove fileExtension=".ico" />
  117 + <mimeMap fileExtension=".ico" mimeType="image/x-icon" />
  118 + <remove fileExtension=".webp" />
  119 + <mimeMap fileExtension=".webp" mimeType="image/webp" />
  120 + <remove fileExtension=".appcache" />
  121 + <mimeMap fileExtension=".appcache" mimeType="text/cache-manifest" />
  122 + <remove fileExtension=".manifest" />
  123 + <mimeMap fileExtension=".manifest" mimeType="text/cache-manifest" />
  124 + <remove fileExtension=".htc" />
  125 + <mimeMap fileExtension=".htc" mimeType="text/x-component" />
  126 + <remove fileExtension=".crx" />
  127 + <mimeMap fileExtension=".crx" mimeType="application/x-chrome-extension" />
  128 + <remove fileExtension=".xpi" />
  129 + <mimeMap fileExtension=".xpi" mimeType="application/x-xpinstall" />
  130 + <remove fileExtension=".safariextz" />
  131 + <mimeMap fileExtension=".safariextz" mimeType="application/octet-stream" />
  132 + <remove fileExtension=".vcf" />
  133 + <mimeMap fileExtension=".vcf" mimeType="text/x-vcard" />
  134 + </staticContent>
  135 + <httpProtocol>
  136 + <customHeaders>
  137 +
  138 + <!--#### SECURITY Related Headers ###-->
  139 + <!--
  140 + # Access-Control-Allow-Origin
  141 + The 'Access Control Allow Origin' HTTP header is used to control which
  142 + sites are allowed to bypass same origin policies and send cross-origin requests.
  143 +
  144 + Secure configuration: Either do not set this header, or return the 'Access-Control-Allow-Origin'
  145 + header restricting it to only a trusted set of sites.
  146 + http://enable-cors.org/
  147 +
  148 + <add name="Access-Control-Allow-Origin" value="*" />
  149 + -->
  150 +
  151 + <!--
  152 + # Cache-Control
  153 + The 'Cache-Control' response header controls how pages can be cached
  154 + either by proxies or the users browser.
  155 + This response header can provide enhanced privacy by not caching
  156 + sensitive pages in the users browser cache.
  157 +
  158 + <add name="Cache-Control" value="no-store, no-cache"/>
  159 + -->
  160 +
  161 + <!--
  162 + # Strict-Transport-Security
  163 + The HTTP Strict Transport Security header is used to control
  164 + if the browser is allowed to only access a site over a secure connection
  165 + and how long to remember the server response for, forcing continued usage.
  166 + Note* Currently a draft standard which only Firefox and Chrome support. But is supported by sites like PayPal.
  167 + <add name="Strict-Transport-Security" value="max-age=15768000"/>
  168 + -->
  169 +
  170 + <!--
  171 + # X-Frame-Options
  172 + The X-Frame-Options header indicates whether a browser should be allowed
  173 + to render a page within a frame or iframe.
  174 + The valid options are DENY (deny allowing the page to exist in a frame)
  175 + or SAMEORIGIN (allow framing but only from the originating host)
  176 + Without this option set the site is at a higher risk of click-jacking.
  177 +
  178 + <add name="X-Frame-Options" value="SAMEORIGIN" />
  179 + -->
  180 +
  181 + <!--
  182 + # X-XSS-Protection
  183 + The X-XSS-Protection header is used by Internet Explorer version 8+
  184 + The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
  185 + If enabled, without 'mode=block', there is an increased risk that
  186 + otherwise non-exploitable cross-site scripting vulnerabilities may potentially become exploitable
  187 +
  188 + <add name="X-XSS-Protection" value="1; mode=block"/>
  189 + -->
  190 +
  191 + <!-- A little extra security (by obscurity) -->
  192 + <remove name="X-Powered-By" />
  193 +
  194 + <!--//#### SECURITY Related Headers ###-->
  195 +
  196 + <!--
  197 + # E-TAGS
  198 + E-Tags are actually quite useful in cache management especially if you have a front-end caching server
  199 + such as Varnish. http://en.wikipedia.org/wiki/HTTP_ETag / http://developer.yahoo.com/performance/rules.html#etags
  200 + But in load balancing and simply most cases ETags are mishandled in IIS; and it can be advantageous to remove them.
  201 + This is simply done by overriding the default server header with an empty tag.
  202 + See http://bytestopshere.wordpress.com/2009/02/02/disable-remove-etags-on-iis-6-to-improve-performance/
  203 +
  204 + <add name="E-TAG" value="" />
  205 + -->
  206 +
  207 + <!--
  208 + Force the latest IE version, in various cases when it may fall back to IE7 mode
  209 + github.com/rails/rails/commit/123eb25#commitcomment-118920
  210 + Use ChromeFrame if it's installed for a better experience for the poor IE folk
  211 + -->
  212 + <add name="X-UA-Compatible" value="IE=Edge,chrome=1" />
  213 + <!--
  214 + Allow cookies to be set from iframes (for IE only)
  215 + If needed, uncomment and specify a path or regex in the Location directive
  216 +
  217 + <add name="P3P" value="policyref=&quot;/w3c/p3p.xml&quot;, CP=&quot;IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT&quot;" />
  218 + -->
  219 + </customHeaders>
  220 + </httpProtocol>
  221 +
  222 + <!--
  223 + <rewrite>
  224 + <rules>
  225 +
  226 + Remove/force the WWW from the URL.
  227 + Requires IIS Rewrite module http://learn.iis.net/page.aspx/460/using-the-url-rewrite-module/
  228 + Configuration lifted from http://nayyeri.net/remove-www-prefix-from-urls-with-url-rewrite-module-for-iis-7-0
  229 +
  230 + NOTE* You need to install the IIS URL Rewriting extension (Install via the Web Platform Installer)
  231 + http://www.microsoft.com/web/downloads/platform.aspx
  232 +
  233 + ** Important Note
  234 + using a non-www version of a webpage will set cookies for the whole domain making cookieless domains
  235 + (eg. fast cdn-like access of static resources like css, js and images) impossible.
  236 +
  237 + # IMPORTANT: THERE ARE TWO RULES LISTED. NEVER USE BOTH RULES AT THE SAME TIME!
  238 +
  239 + <rule name="Remove WWW" stopProcessing="true">
  240 + <match url="^(.*)$" />
  241 + <conditions>
  242 + <add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" />
  243 + </conditions>
  244 + <action type="Redirect" url="http://example.com{PATH_INFO}" redirectType="Permanent" />
  245 + </rule>
  246 + <rule name="Force WWW" stopProcessing="true">
  247 + <match url=".*" />
  248 + <conditions>
  249 + <add input="{HTTP_HOST}" pattern="^example.com$" />
  250 + </conditions>
  251 + <action type="Redirect" url="http://www.example.com/{R:0}" redirectType="Permanent" />
  252 + </rule>
  253 + -->
  254 + <!--
  255 + ### Built-in filename-based cache busting
  256 +
  257 + If you're not using the build script to manage your filename version revving,
  258 + you might want to consider enabling this, which will route requests for
  259 + /css/style.20110203.css to /css/style.css
  260 +
  261 + To understand why this is important and a better idea than all.css?v1231,
  262 + read: github.com/h5bp/html5-boilerplate/wiki/Version-Control-with-Cachebusting
  263 +
  264 + <rule name="Cachebusting">
  265 + <match url="^(.+)\.\d+(\.(js|css|png|jpg|gif)$)" />
  266 + <action type="Rewrite" url="{R:1}{R:2}" />
  267 + </rule>
  268 +
  269 + </rules>
  270 + </rewrite>-->
  271 +
  272 + </system.webServer>
  273 +</configuration>

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.