New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docs: Add full `web.config` example #1224

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
3 participants
@molant
Member

molant commented Aug 8, 2018

Pull request checklist

Make sure you:

For non-trivial changes, please make sure you also:

  • Added/Updated related documentation.
  • Added/Updated related tests.

Short description of the change(s)

Ref #1100

There are some assumptions though:
* The site is static. If you are using node with iisnode, asp.net, etc.

This comment has been minimized.

@alrra

alrra Aug 8, 2018

Member

ASP.NET

you will have to add the required configuration (but most of this
configuration should still be valid).
* All the static assets are in the folder `dist/static`.
* The static resources (CSS, JS, images, etc.) have precompressed `gzip`

This comment has been minimized.

@alrra

alrra Aug 8, 2018

Member

JavaScript

This comment has been minimized.

@alrra

alrra Aug 8, 2018

Member

Do you mean zopfli?

This comment has been minimized.

@molant

molant Aug 8, 2018

Member

Nope, we just need a gzip file. It could be zopfli or regular gzip as long as it ends up with .gz.

Even though each hint has example on how to configure different server
technologies, they only contain the relevant portions.
The following are full examples of valid configurations that should

This comment has been minimized.

@alrra

alrra Aug 8, 2018

Member

examples of server configurations

<urlCompression doStaticCompression="true" doDynamicCompression="true" dynamicCompressionBeforeCache="false" />
<staticContent>
<!--
We set the mimeType for all the types we are going to use in the site. IIS

This comment has been minimized.

@alrra

alrra Aug 8, 2018

Member

Maybe drop you/we...

@molant molant force-pushed the molant:docs/iis.config branch from 63dfd77 to b6f2759 Aug 8, 2018

@molant

This comment has been minimized.

Member

molant commented Aug 8, 2018

@alrra addresed your feedback

@aligneddev

This comment has been minimized.

aligneddev commented Aug 9, 2018

@molant this looks really good!

I've been struggling with Content Security Policy (CSP). It would nice to have an example and clear instructions on doing that. Html5 BoilerPlate has one, but it's not very clear.

I'd also suggest links to the Sonarwhal's user guide for each issue. They have a good explanation of each.

I'm adding a link from my article and will update it with approaches I learn from your work.

We recently converted to Asp.Net Core, so I'm re-learning how to do this with NWebSec and middle-ware.

Thanks for helping improve security on the web!

@alrra

This comment has been minimized.

Member

alrra commented Aug 9, 2018

I'd also suggest links to the Sonarwhalwebhint's user guide for each issue. They have a good explanation of each.

Yes, I agree, we should do that.

I'm adding a link from my article and will update it with approaches I learn from your work.

@aligneddev Thank you!

@molant molant force-pushed the molant:docs/iis.config branch from 7d98867 to 8cd8110 Aug 9, 2018

@molant

This comment has been minimized.

Member

molant commented Aug 9, 2018

OK, I've added links to the hints from the web.config and to the web.config from the hints.

@aligneddev

What about Content Security Policy? Does that fit in somewhere?

@@ -379,6 +379,8 @@ Note that:
* The above snippet works with IIS 7+.
* You should use the above snippet in the `web.config` of your
application.
* For the the complete set of IIS configurations, not just for this rule,

This comment has been minimized.

@alrra

alrra Aug 9, 2018

Member

Remove duplicate the.

Maybe change this to:

For the complete set of configurations, not just for this rule, see this IIS server configuration related docs.

@molant molant force-pushed the molant:docs/iis.config branch from 8cd8110 to 9878120 Aug 9, 2018

@molant molant force-pushed the molant:docs/iis.config branch from 9878120 to 933cda7 Aug 9, 2018

@molant

This comment has been minimized.

Member

molant commented Aug 9, 2018

What about Content Security Policy? Does that fit in somewhere?

Once we have the rule for CSP and its documentation we will update the template to cover it too.

@alrra alrra closed this in 4ac86c3 Aug 9, 2018

@alrra alrra deleted the molant:docs/iis.config branch Aug 9, 2018

@aligneddev

This comment has been minimized.

aligneddev commented Aug 9, 2018

Thanks for doing this work! Troy Hunt has a very good article on CSP: https://www.troyhunt.com/implementing-content-security-policy/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment