Added security headers

force HTTPS, add HSTS, other misc security tweaks
2019-04-20 14:20:56 -05:00 · 2019-04-20 14:20:56 -05:00 · 251d412155
commit 251d412155
parent 9da1c0fc19
1 changed files with 28 additions and 0 deletions
--- a/public/web.config
+++ b/public/web.config
@ -1,8 +1,27 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
  <system.webServer>
+    <httpProtocol>
+      <customHeaders>
+        <clear />
+        <add name="X-Frame-Options" value="DENY" />
+        <add name="X-XSS-Protection" value="1; mode=block" />
+        <add name="X-Content-Type-Options" value="nosniff" />
+        <add name="Referrer-Policy" value="same-origin" />
+      </customHeaders>
+      <redirectHeaders>
+        <clear />
+      </redirectHeaders>
+    </httpProtocol>    
    <rewrite>
      <rules>
+        <rule name="Force HTTPS" stopProcessing="true">
+          <match url="(.*)" />
+          <conditions>
+            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
+          </conditions>
+          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
+        </rule>
        <rule name="Vue" patternSyntax="Wildcard">
          <match url="*" />
 		      <conditions logicalGrouping="MatchAll">
@ -12,6 +31,15 @@
 		      <action type="Rewrite" url="index.html" />
        </rule>
      </rules>
+      <outboundRules>
+        <rule name="HSTS Header" enabled="true">
+          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
+          <conditions>
+            <add input="{HTTPS}" pattern="on" ignoreCase="true" />
+          </conditions>
+          <action type="Rewrite" value="max-age=31536000; preload" />
+        </rule>        
+      </outboundRules>
    </rewrite>
  </system.webServer>
 </configuration>