-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathweb.config
41 lines (41 loc) · 1.81 KB
/
web.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<httpRuntime enableVersionHeader="false"/>
</system.web>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'none' ; script-src 'self' disqus.com disqus-csp.disqus.com c.disquscdn.com; style-src 'self' c.disquscdn.com; img-src 'self' referrer.disqus.com c.disquscdn.com; connect-src links.services.disqus.com; child-src disqus.com; frame-src disqus.com; upgrade-insecure-requests; block-all-mixed-content; base-uri https://disqus-csp.testingtheweb.com/; report-uri https://theyorkshiredev.report-uri.com/r/d/csp/enforce;" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="DENY" />
<add name="X-XSS-Protection" value="1; mode=block" />
<remove name="X-Powered-By"/>
</customHeaders>
</httpProtocol>
<rewrite>
<rules>
<rule name="Redirect to https">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="Off"/>
<add input="{REQUEST_METHOD}" pattern="^get$|^head$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent"/>
</rule>
</rules>
<outboundRules>
<rule name="Add HSTS Header" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains;" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>