Various options for configuration options for protecting IIS or ASP.NET web sites.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <httpRuntime enableVersionHeader="false" />
    </system.web>

    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <clear />
                <add name="X-Content-Type-Options" value="nosniff" />
            </customHeaders>
            <redirectHeaders>
                <clear />
            </redirectHeaders>
        </httpProtocol>

        <security>
            <requestFiltering removeServerHeader="true" />
        </security>

        <rewrite>
            <rules>
                <!-- BEGIN rule TAG FOR HTTPS REDIRECT -->
                <rule name="Force HTTPS" enabled="true" stopProcessing="true">
                    <match url="(.*)" ignoreCase="false" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
                </rule>
                <!-- END rule TAG FOR HTTPS REDIRECT -->

                <!-- BEGIN rule TAG FOR WWW REDIRECT -->
                <rule name="www redirect" enabled="true" stopProcessing="true">
                    <match url="(.*)" ignoreCase="false" />
                    <conditions>
                        <add input="{HTTP_HOST}" pattern="^appveyor\.com$" />
                    </conditions>
                    <action type="Redirect" url="https://www.{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
                </rule>
                <!-- END rule TAG FOR WWW REDIRECT -->
            </rules>

            <outboundRules>
                <rule name="Set Strict-Transport-Security header when using HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000; includeSubdomains; preload" />
                </rule>

                <!-- https://w3c.github.io/webappsec-referrer-policy/ -->
                <rule name="Set Referrer-Policy header for HTML files only" enabled="true">
                    <match serverVariable="RESPONSE_Referrer-Policy" pattern=".*" />
                    <conditions>
                        <add input="{REQUEST_URI}" pattern="\.html$" />
                    </conditions>
                    <action type="Rewrite" value="strict-origin-when-cross-origin" />
                </rule>

                <rule name="Set X-Frame-Options header for HTML files only">
                    <match serverVariable="RESPONSE_X_Frame_Options" pattern=".*" />
                    <conditions>
                        <add input="{REQUEST_URI}" pattern="\.html$" />
                    </conditions>
                    <action type="Rewrite" value="DENY" />
                </rule>

                <rule name="Set X-XSS-Protection header for HTML files only">
                    <match serverVariable="RESPONSE_X_XSS_Protection" pattern=".*" />
                    <conditions>
                        <add input="{REQUEST_URI}" pattern="\.html$" />
                    </conditions>
                    <action type="Rewrite" value="1; mode=block" />
                </rule>

                <rule name="Set CSP header for HTML files only">
                    <match serverVariable="RESPONSE_Content-Security-Policy" pattern=".*" />
                    <conditions>
                        <add input="{REQUEST_URI}" pattern="\.html$" />
                    </conditions>
                    <action type="Rewrite" value="default-src 'none'; script-src 'self' www.google-analytics.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: www.google-analytics.com ci.appveyor.com; font-src 'self' data: fonts.gstatic.com; frame-src 'self' www.slideshare.net www.youtube.com; child-src 'self' www.slideshare.net www.youtube.com; manifest-src 'self'; base-uri 'self'; frame-ancestors 'none'" />
                </rule>

                <rule name="Set X-UA-Compatible header for HTML files only">
                    <match serverVariable="RESPONSE_X_UA_Compatible" pattern=".*" />
                    <conditions>
                        <add input="{REQUEST_URI}" pattern="\.html$" />
                    </conditions>
                    <action type="Rewrite" value="IE=edge" />
                </rule>

                <rule name="Set Cache-Control:max-age=3600 for HTML files only">
                    <match serverVariable="RESPONSE_Cache_Control" pattern=".*" />
                    <conditions>
                        <add input="{REQUEST_URI}" pattern="\.html$" />
                    </conditions>
                    <action type="Rewrite" value="max-age=3600" />
                </rule>
            </outboundRules>
        </rewrite>

    </system.webServer>
</configuration>