<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!-- 增加为了安全的 HTTP 头信息 -->
<httpProtocol>...
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!-- 增加为了安全的 HTTP 头信息 -->
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Content-Security-Policy" value="frame-ancestors 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="X-XSS-Protection" value="1" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<add name="X-Download-Options" value="noopen" />
<add name="Referrer-Policy" value="origin-when-cross-origin" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
