Skip to content

Instantly share code, notes, and snippets.

@MrZoidberg

MrZoidberg/web.config

Created January 8, 2018 13:37
Show Gist options
  • Save MrZoidberg/5beaa5fa3a071348fbb701456b79ab5f to your computer and use it in GitHub Desktop.
Save MrZoidberg/5beaa5fa3a071348fbb701456b79ab5f to your computer and use it in GitHub Desktop.
Download ZIP
web.config for Angular website
Raw
web.config
<?xml version="1.0" encoding="utf-8"?>
<!--
Credit to : H5BP <https://h5bp.github.io>
https://github.com/h5bp/server-configs-iis/blob/master/server%20config/Web.config
-->
<configuration>
<system.webServer>
<!-- GZip static file content. Overrides the server default which only compresses static files over 2700 bytes -->
<httpCompression directory="%SystemDrive%\websites\_compressed" minFileSizeForComp="1024">
<scheme dll="%Windir%\system32\inetsrv\gzip.dll" name="gzip" />
<staticTypes>
<add enabled="true" mimeType="text/*" />
<add enabled="true" mimeType="message/*" />
<add enabled="true" mimeType="application/javascript" />
<add enabled="true" mimeType="application/json" />
<add enabled="false" mimeType="*/*" />
</staticTypes>
</httpCompression>
<httpErrors errorMode="Custom" existingResponse="PassThrough">
<!-- Catch IIS 404 error due to paths that exist but shouldn't be served (e.g. /controllers, /global.asax) or
IIS request filtering (e.g. bin, web.config, app_code, app_globalresources, app_localresources, app_webreferences,
app_data, app_browsers) -->
<remove statusCode="404" subStatusCode="-1" />
<error path="/notfound" responseMode="ExecuteURL" statusCode="404" subStatusCode="-1" />
<remove statusCode="500" subStatusCode="-1" />
<error path="/error" responseMode="ExecuteURL" statusCode="500" subStatusCode="-1" />
</httpErrors>
<directoryBrowse enabled="false" />
<validation validateIntegratedModeConfiguration="false" />
<!-- Microsoft sets runAllManagedModulesForAllRequests to true by default
You should handle this according to need, but consider the performance hit.
Good source of reference on this matter: http://www.west-wind.com/weblog/posts/2012/Oct/25/Caveats-with-the-runAllManagedModulesForAllRequests-in-IIS-78
-->
<modules runAllManagedModulesForAllRequests="false" />
<urlCompression doDynamicCompression="true" doStaticCompression="true" />
<staticContent>
<!-- Remove ETAG IN IIS >8 ; for IIS 7/7.5 see the Rewrite rules (bigger description of why you might remove etag down there aswell)
<clientCache setEtag="false"/>
-->
<!-- Set expire headers to 30 days for static content-->
<clientCache cacheControlMaxAge="30.00:00:00" cacheControlMode="UseMaxAge" />
<!-- use utf-8 encoding for anything served text/plain or text/html -->
<!-- in the case of .html files; if you AJAX load html files (i.e. in angular) then remove these two lines. -->
<remove fileExtension=".html" />
<mimeMap fileExtension=".html" mimeType="text/html; charset=UTF-8" />
<remove fileExtension=".css" />
<mimeMap fileExtension=".css" mimeType="text/css" />
<remove fileExtension=".js" />
<mimeMap fileExtension=".js" mimeType="text/javascript" />
<remove fileExtension=".json" />
<mimeMap fileExtension=".json" mimeType="application/json" />
<remove fileExtension=".rss" />
<mimeMap fileExtension=".rss" mimeType="application/rss+xml; charset=UTF-8" />
<remove fileExtension=".xml" />
<mimeMap fileExtension=".xml" mimeType="application/xml; charset=UTF-8" />
<remove fileExtension=".map" />
<mimeMap fileExtension=".map" mimeType="application/json" />
<!-- HTML5 Audio/Video mime types-->
<remove fileExtension=".mp3" />
<mimeMap fileExtension=".mp3" mimeType="audio/mpeg" />
<remove fileExtension=".mp4" />
<mimeMap fileExtension=".mp4" mimeType="video/mp4" />
<remove fileExtension=".ogg" />
<mimeMap fileExtension=".ogg" mimeType="audio/ogg" />
<remove fileExtension=".ogv" />
<mimeMap fileExtension=".ogv" mimeType="video/ogg" />
<remove fileExtension=".webm" />
<mimeMap fileExtension=".webm" mimeType="video/webm" />
<!-- Proper svg serving. Required for svg webfonts on iPad -->
<remove fileExtension=".svg" />
<mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
<remove fileExtension=".svgz" />
<mimeMap fileExtension=".svgz" mimeType="image/svg+xml" />
<!-- HTML4 Web font mime types -->
<!-- Remove default IIS mime type for .eot which is application/octet-stream -->
<remove fileExtension=".eot" />
<mimeMap fileExtension=".eot" mimeType="application/vnd.ms-fontobject" />
<remove fileExtension=".ttf" />
<mimeMap fileExtension=".ttf" mimeType="application/x-font-ttf" />
<remove fileExtension=".ttc" />
<mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
<remove fileExtension=".otf" />
<mimeMap fileExtension=".otf" mimeType="font/opentype" />
<remove fileExtension=".woff" />
<mimeMap fileExtension=".woff" mimeType="application/font-woff" />
<remove fileExtension=".woff2" />
<mimeMap fileExtension=".woff2" mimeType="font/woff2" />
<remove fileExtension=".crx" />
<mimeMap fileExtension=".crx" mimeType="application/x-chrome-extension" />
<remove fileExtension=".xpi" />
<mimeMap fileExtension=".xpi" mimeType="application/x-xpinstall" />
<remove fileExtension=".safariextz" />
<mimeMap fileExtension=".safariextz" mimeType="application/octet-stream" />
<!-- Flash Video mime types-->
<remove fileExtension=".flv" />
<mimeMap fileExtension=".flv" mimeType="video/x-flv" />
<remove fileExtension=".f4v" />
<mimeMap fileExtension=".f4v" mimeType="video/mp4" />
<!-- Assorted types -->
<remove fileExtension=".ico" />
<mimeMap fileExtension=".ico" mimeType="image/x-icon" />
<remove fileExtension=".webp" />
<mimeMap fileExtension=".webp" mimeType="image/webp" />
<remove fileExtension=".htc" />
<mimeMap fileExtension=".htc" mimeType="text/x-component" />
<remove fileExtension=".vcf" />
<mimeMap fileExtension=".vcf" mimeType="text/x-vcard" />
<remove fileExtension=".torrent" />
<mimeMap fileExtension=".torrent" mimeType="application/x-bittorrent" />
<remove fileExtension=".cur" />
<mimeMap fileExtension=".cur" mimeType="image/x-icon" />
<remove fileExtension=".webapp" />
<mimeMap fileExtension=".webapp" mimeType="application/x-web-app-manifest+json; charset=UTF-8" />
</staticContent>
<httpProtocol>
<customHeaders>
<!--#### SECURITY Related Headers ###
More information: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-->
<!--
# Access-Control-Allow-Origin
The 'Access Control Allow Origin' HTTP header is used to control which
sites are allowed to bypass same origin policies and send cross-origin requests.
Secure configuration: Either do not set this header, or return the 'Access-Control-Allow-Origin'
header restricting it to only a trusted set of sites.
http://enable-cors.org/
<remove name="Access-Control-Allow-Origin" /><add name="Access-Control-Allow-Origin" value="*" />-->
<!--
# Cache-Control
The 'Cache-Control' response header controls how pages can be cached
either by proxies or the users browser.
This response header can provide enhanced privacy by not caching
sensitive pages in the users browser cache.
<remove name="Cache-Control" /><add name="Cache-Control" value="no-store, no-cache"/>-->
<!--
# Strict-Transport-Security
The HTTP Strict Transport Security header is used to control
if the browser is allowed to only access a site over a secure connection
and how long to remember the server response for, forcing continued usage.
Note* Currently a draft standard which only Firefox and Chrome support. But is supported by sites like PayPal.
<remove name="Strict-Transport-Security" /><add name="Strict-Transport-Security" value="max-age=15768000"/>-->
<!--
# X-Frame-Options
The X-Frame-Options header indicates whether a browser should be allowed
to render a page within a frame or iframe.
The valid options are DENY (deny allowing the page to exist in a frame)
or SAMEORIGIN (allow framing but only from the originating host)
Without this option set the site is at a higher risk of click-jacking.
<remove name="X-Frame-Options" /><add name="X-Frame-Options" value="SAMEORIGIN" />-->
<!--
# X-XSS-Protection
The X-XSS-Protection header is used by Internet Explorer version 8+
The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
If enabled, without 'mode=block', there is an increased risk that
otherwise non-exploitable cross-site scripting vulnerabilities may potentially become exploitable
<remove name="X-XSS-Protection" /><add name="X-XSS-Protection" value="1; mode=block"/>-->
<!--
# MIME type sniffing security protection
Enabled by default as there are very few edge cases where you wouldn't want this enabled.
Theres additional reading below; but the tldr, it reduces the ability of the browser (mostly IE)
being tricked into facilitating driveby attacks.
http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
-->
<remove name="X-Content-Type-Options" />
<add name="X-Content-Type-Options" value="nosniff" />
<!-- A little extra security (by obscurity), removings fun but adding your own is better -->
<remove name="X-Powered-By" />
<add name="X-Powered-By" value="My Little Pony" />
<!--
With Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
you can tell the browser that it can only download content from the domains you explicitly allow
CSP can be quite difficult to configure, and cause real issues if you get it wrong
There is website that helps you generate a policy here http://cspisawesome.com/
<remove name="Content-Security-Policy" /><add name="Content-Security-Policy" "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" />-->
<!--//#### SECURITY Related Headers ###-->
<!--
Allow cookies to be set from iframes (for IE only)
If needed, uncomment and specify a path or regex in the Location directive
<remove name="P3P" /><add name="P3P" value="policyref=&quot;/w3c/p3p.xml&quot;, CP=&quot;IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT&quot;" />-->
</customHeaders>
</httpProtocol>
<!--
### Rewrite Rules
Requires IIS Rewrite module http://learn.iis.net/page.aspx/460/using-the-url-rewrite-module/
Configuration lifted from http://nayyeri.net/remove-www-prefix-from-urls-with-url-rewrite-module-for-iis-7-0
NOTE* You need to install the IIS URL Rewriting extension (Install via the Web Platform Installer)
http://www.microsoft.com/web/downloads/platform.aspx
-->
<rewrite>
<rules>
<!--clear: Removes all references to HTTP errors from the HTTP error collection.-->
<clear />
<!--
### Remove/force the WWW from the URL.
** Important Note
using a non-www version of a webpage will set cookies for the whole domain making cookieless domains
(eg. fast cdn-like access of static resources like css, js and images) impossible.
# IMPORTANT: THERE ARE TWO RULES LISTED ('Remove WWW' & 'Force WWW'). NEVER USE BOTH RULES AT THE SAME TIME!
-->
<!--
<rule name="Remove WWW" stopProcessing="true">
<match url="^(.*)$" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" />
</conditions>
<action type="Redirect" url="http://example.com{PATH_INFO}" redirectType="Permanent" />
</rule>
<rule name="Force WWW" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^example.com$" />
</conditions>
<action type="Redirect" url="http://www.example.com/{R:0}" redirectType="Permanent" />
</rule>
-->
<!--
### Built-in filename-based cache busting (Name: 'Cachebusting')
In a managed language such as .net you should really be using the internal bundler for css + js
or getCassette or similar.
If you're not using the build script to manage your filename version revving,
you might want to consider enabling this, which will route requests for
/css/style.20110203.css to /css/style.css
To understand why this is important and a better idea than all.css?v1231,
read: http://madskristensen.net/post/cache-busting-in-aspnet
-->
<!--
<rule name="Cachebusting">
<match url="^(.+)\.\d+(\.(js|css|png|jpg|gif)$)" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
<action type="Rewrite" url="{R:1}{R:2}" />
</rule>
-->
<!--
### AngularJS HTML5 Mode enabled (Name: 'AngularJS')
- $locationProvider.html5Mode(true) in app.js
- <base href="/"> in head tag
-->
<rule name="AngularJS" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{REQUEST_URI}" matchType="Pattern" pattern="^/(assets)" ignoreCase="true" negate="true" />
<add input="{REQUEST_URI}" pattern="^/(api)" negate="true" ignoreCase="true" />
</conditions>
<action type="Rewrite" url="/" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>
</configuration>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment