IIS Web config file

1 Comment / Internet Information Server / / 3 minutes of reading
IIS Web config file

Overview

What is a Web .config file

web config elements

Resources

What is a Web .config file

XMl file

Similar to .htaccess files

A web .config file is a xml based configuration file used in Microsoft Internet Information Server (IIS).

A web .config file can contain configurations for:

  • Database connections
  • Session states
  • Caching settings
  • Error handling
  • Security

web config file elements

Structure 

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.webServer>
        <security>
            ...
        </security>
        <modules>
            ...
        </modules>
        <handlers>
            ...
        </handlers>
        <httpProtocol>
            <customHeaders>
                ...
            </customHeaders>
        </httpProtocol>
        <rewrite>
            <rules>
                ...
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Configuration element

Each configuration rule has to be inside this root element.

<configuration>
    ...
</configuration>

Configuration rules

This is the main section for many configuration settings which are used by the web server engine and modules.

<system.webServer>
    ...
</system.webServer>

Security

The security section contains all elements that configure security settings on an Internet Information Server.
Further information

<security>
    <authentication>
        <windowsAuthentication enabled="true" />
        <basicAuthentication enabled="false" />
        <anonymousAuthentication enabled="false" />
    </authentication>
    <requestFiltering>
        ...
    </requestFiltering>
</security>

Modules

The modules section defines the native code and managed code modules which are registered for an application.

<modules>
    <!-- Remove WebDAV module -->
    <remove name="WebDAVModule" />
</modules>

Handlers

Handlers are IIS components that are configured to process requests to specific content, for example to generate a response for the requested resource.

<httpHandlers>
    <add path="*.config" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
    <add path="*.vjsproj" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
    <add path="*.java" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
</httpHandlers>

Redirect rules

With redirect rules it’s possible to point to a single website with multiple URL’s. 

<rewrite>
  <rules>
     <rule name="Redirect old url" stopProcessing="true">
     <match url="(.*)" />
     <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
        <add input="{HTTP_HOST}{REQUEST_URI}" pattern="[OLD URL]" />
     </conditions>
     <action type="Redirect" url="https://[NEW URL]/{R:1}" redirectType="Permanent"/>
     </rule>
  </rules>
</rewrite>

CustomHeaders

The customHeaders element inside the httpProtocol element specifies custom HTTP headers that IIS will return in HTTP responses from the web server.

<httpProtocol>
        <customHeaders>
        <remove name="X-Powered-By" />
        <!-- Protects against XSS injections. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
        <add name="X-XSS-Protection" value="1; mode=block" />
        <!-- Protects against Clickjacking attacks. ref.: http://stackoverflow.com/a/22105445/1233379 -->
        <add name="X-Frame-Options" value="SAMEORIGIN" />
        <!-- Protects against MIME-type confusion attack. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
        <add name="X-Content-Type-Options" value="nosniff" />
        <!-- Protects against Clickjacking attacks. ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet -->
        <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
        <!-- CSP modern XSS directive-based defence, used since 2014. ref.: http://content-security-policy.com/ -->
        <add name="Content-Security-Policy" value="default-src 'self'; connect-src *; font-src * data:; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';" />
        <!-- Prevents from leaking referrer data over insecure connections. ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
        <add name="Referrer-Policy" value="same-origin" />
        <!-- Permissions-Policy is a new header that allows a site to control which features and APIs can be used in the browser. ref.: https://w3c.github.io/webappsec-permissions-policy/ -->
        <add name="Permissions-Policy" value="accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=*, usb=()" />
      </customHeaders>
    </httpProtocol>

Resources

Microsoft documentation

Web .config file overview
Create web .config files
User Photo reference
IIS modules
from .htaccess to web .config

1 thought on “IIS Web config file”

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top