Various options for configuration options for protecting IIS or ASP.NET web sites.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
<redirectHeaders>
<clear />
</redirectHeaders>
</httpProtocol>
<security>
<requestFiltering removeServerHeader="true" />
</security>
<rewrite>
<rules>
<!-- BEGIN rule TAG FOR HTTPS REDIRECT -->
<rule name="Force HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
<!-- END rule TAG FOR HTTPS REDIRECT -->
<!-- BEGIN rule TAG FOR WWW REDIRECT -->
<rule name="www redirect" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTP_HOST}" pattern="^appveyor\.com$" />
</conditions>
<action type="Redirect" url="https://www.{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
<!-- END rule TAG FOR WWW REDIRECT -->
</rules>
<outboundRules>
<rule name="Set Strict-Transport-Security header when using HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubdomains; preload" />
</rule>
<!-- https://w3c.github.io/webappsec-referrer-policy/ -->
<rule name="Set Referrer-Policy header for HTML files only" enabled="true">
<match serverVariable="RESPONSE_Referrer-Policy" pattern=".*" />
<conditions>
<add input="{REQUEST_URI}" pattern="\.html$" />
</conditions>
<action type="Rewrite" value="strict-origin-when-cross-origin" />
</rule>
<rule name="Set X-Frame-Options header for HTML files only">
<match serverVariable="RESPONSE_X_Frame_Options" pattern=".*" />
<conditions>
<add input="{REQUEST_URI}" pattern="\.html$" />
</conditions>
<action type="Rewrite" value="DENY" />
</rule>
<rule name="Set X-XSS-Protection header for HTML files only">
<match serverVariable="RESPONSE_X_XSS_Protection" pattern=".*" />
<conditions>
<add input="{REQUEST_URI}" pattern="\.html$" />
</conditions>
<action type="Rewrite" value="1; mode=block" />
</rule>
<rule name="Set CSP header for HTML files only">
<match serverVariable="RESPONSE_Content-Security-Policy" pattern=".*" />
<conditions>
<add input="{REQUEST_URI}" pattern="\.html$" />
</conditions>
<action type="Rewrite" value="default-src 'none'; script-src 'self' www.google-analytics.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: www.google-analytics.com ci.appveyor.com; font-src 'self' data: fonts.gstatic.com; frame-src 'self' www.slideshare.net www.youtube.com; child-src 'self' www.slideshare.net www.youtube.com; manifest-src 'self'; base-uri 'self'; frame-ancestors 'none'" />
</rule>
<rule name="Set X-UA-Compatible header for HTML files only">
<match serverVariable="RESPONSE_X_UA_Compatible" pattern=".*" />
<conditions>
<add input="{REQUEST_URI}" pattern="\.html$" />
</conditions>
<action type="Rewrite" value="IE=edge" />
</rule>
<rule name="Set Cache-Control:max-age=3600 for HTML files only">
<match serverVariable="RESPONSE_Cache_Control" pattern=".*" />
<conditions>
<add input="{REQUEST_URI}" pattern="\.html$" />
</conditions>
<action type="Rewrite" value="max-age=3600" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>