Added security headers

force HTTPS, add HSTS, other misc security tweaks
This commit is contained in:
Daniel J. Summers 2019-04-20 14:20:56 -05:00
parent 9da1c0fc19
commit 251d412155

View File

@ -1,8 +1,27 @@
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
<add name="X-Frame-Options" value="DENY" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Referrer-Policy" value="same-origin" />
</customHeaders>
<redirectHeaders>
<clear />
</redirectHeaders>
</httpProtocol>
<rewrite>
<rules>
<rule name="Force HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Vue" patternSyntax="Wildcard">
<match url="*" />
<conditions logicalGrouping="MatchAll">
@ -12,6 +31,15 @@
<action type="Rewrite" url="index.html" />
</rule>
</rules>
<outboundRules>
<rule name="HSTS Header" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; preload" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>