Docs: Add full web.config example
#1224
Conversation
|
|
||
| There are some assumptions though: | ||
|
|
||
| * The site is static. If you are using node with iisnode, asp.net, etc. |
| you will have to add the required configuration (but most of this | ||
| configuration should still be valid). | ||
| * All the static assets are in the folder `dist/static`. | ||
| * The static resources (CSS, JS, images, etc.) have precompressed `gzip` |
There was a problem hiding this comment.
Nope, we just need a gzip file. It could be zopfli or regular gzip as long as it ends up with .gz.
| Even though each hint has example on how to configure different server | ||
| technologies, they only contain the relevant portions. | ||
|
|
||
| The following are full examples of valid configurations that should |
There was a problem hiding this comment.
examples of server configurations
| <urlCompression doStaticCompression="true" doDynamicCompression="true" dynamicCompressionBeforeCache="false" /> | ||
| <staticContent> | ||
| <!-- | ||
| We set the mimeType for all the types we are going to use in the site. IIS |
|
@alrra addresed your feedback |
|
@molant this looks really good! I've been struggling with Content Security Policy (CSP). It would nice to have an example and clear instructions on doing that. Html5 BoilerPlate has one, but it's not very clear. I'd also suggest links to the Sonarwhal's user guide for each issue. They have a good explanation of each. I'm adding a link from my article and will update it with approaches I learn from your work. We recently converted to Asp.Net Core, so I'm re-learning how to do this with NWebSec and middle-ware. Thanks for helping improve security on the web! |
Yes, I agree, we should do that.
@aligneddev Thank you! |
|
OK, I've added links to the hints from the |
packages/hint-content-type/README.md
Outdated
| @@ -379,6 +379,8 @@ Note that: | |||
| * The above snippet works with IIS 7+. | |||
| * You should use the above snippet in the `web.config` of your | |||
| application. | |||
| * For the the complete set of IIS configurations, not just for this rule, | |||
There was a problem hiding this comment.
Remove duplicate the.
Maybe change this to:
For the complete set of configurations, not just for this rule, see this IIS server configuration related docs.
Once we have the rule for CSP and its documentation we will update the template to cover it too. |
|
Thanks for doing this work! Troy Hunt has a very good article on CSP: https://www.troyhunt.com/implementing-content-security-policy/ |
Pull request checklist
Make sure you:
For non-trivial changes, please make sure you also:
Added/Updated related tests.Short description of the change(s)
Ref #1100