web.config.sample

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <!-- Don't show directory listings for URLs which map to a directory. -->
    <directoryBrowse enabled="false" />
    <rewrite>
      <rules>
        <rule name="Protect files and directories from prying eyes" stopProcessing="true">
          <match url="\.(app|src)$" />
          <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
        </rule>
        <rule name="Force simple error message for requests for non-existent favicon.ico" stopProcessing="true">
          <match url="favicon\.ico" />
          <conditions>
              <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
          </conditions>
          <action type="CustomResponse" statusCode="404" subStatusCode="1" statusReason="File Not Found" statusDescription="The requested file favicon.ico was not found" />
        </rule>
        <!-- Rewrite URLs of the form 'x' to the form 'index.php/x'. -->
        <rule name="Short URLs" stopProcessing="true">
          <match url="^(.*)$" ignoreCase="false" />
          <conditions>
            <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
            <add input="{URL}" pattern="^(.*)\.(gif|png|jpe?g|css|ico|js|svg|map)$" ignoreCase="false" negate="true" />
          </conditions>
          <action type="Rewrite" url="index.php/{R:1}" appendQueryString="true" />
        </rule>
      </rules>
    </rewrite>
    
    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="app"/>
          <add segment="src"/>
          <add segment="vendor"/>
          <add segment="tests"/>
        </hiddenSegments>
        <denyUrlSequences>
          <add sequence="composer" />
          <add sequence="autoload" />
          <add sequence="cli-config" />
          <add sequence="COPYING" />
        </denyUrlSequences>
        <fileExtensions>
          <add fileExtension=".ini" allowed="false" />
          <add fileExtension=".lock" allowed="false" />
          <add fileExtension=".dist" allowed="false" />
          <add fileExtension=".git" allowed="false" />
          <add fileExtension=".sh" allowed="false" />
          <add fileExtension=".bak" allowed="false" />
          <add fileExtension=".swp" allowed="false" />
        </fileExtensions>
      </requestFiltering>
    </security>
    
    <httpErrors>
      <remove statusCode="404" subStatusCode="-1" />
      <error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
    </httpErrors>

    <defaultDocument>
      <!-- Set the default document -->
      <files>
        <remove value="index.php" />
        <add value="index.php" />
      </files>
    </defaultDocument>
  </system.webServer>
</configuration>