|
|
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
<section name="secureWebPages" type="Hyper.Web.Security.SecureWebPageSectionHandler, WebPageSecurity" allowLocation="false" />
</configSections>
<!--
WEB PAGE SECURITY
This section will redirect any matching pages to the HTTPS protocol for SSL security
and, if needed, redirect any non-matching pages (or pages matching an entry marked secure="False")
to the HTTP protocol to remove the security and encryption.
Set secureWebPages mode="On", "RemoteOnly" or "LocalOnly" to enable web page security;
"Off" to disable (default = "On").
"On": Security is enabled and all requests are monitored.
"RemoteOnly": Only requests from remote clients are monitored.
"LocalOnly": Only requests from the local server are monitored.
"Off": No requests are monitored.
Set secureWebPages encryptedUri to a specific URI to indicate where to redirect when the module decides that
security is needed. Likewise, set secureWebPages unencryptedUri for times the module decides that security is
not needed.
Set secureWebPages maintainPath="False" to prevent the module from maintaining the current path
when redirecting to the specified URIs (default = "True").
Set secureWebPages warningBypassMode="AlwaysBypass" to always bypass security warnings;
"NeverBypass" to never bypass the warnings (default = "BypassWithQueryParam").
"AlwaysBypass": Always bypass security warnings when switching to an unencrypted page.
"BypassWithQueryParam": Only bypass security warnings when switching to an unencrypted page if the
proper query parameter is present.
"NeverBypass": Never bypass security warnings when switching to an unencrypted page.
Set secureWebPages bypassQueryParamName to the name of a query parameter that will indicate to the module to bypass
any security warning if warningBypassMode="BypassWithQueryParam" (default = "BypassSecurityWarning").
- Add <directory> tags for each directory to secure.
- Add <file> tags for each file to secure.
- Both tags expect a "path" attribute to the directory or file that should be evaluated.
Specify "/" as the directory path in order to denote the application root (not the site root).
- Both tags may include a "secure" attribute indicating whether or not to secure the
directory or file (default = "True"). Possible values are "True" to force security,
"False" to force insecurity and "Ignore" to ignore the file or directory and do nothing.
- <directory> tags may include a "recurse" attribute. If "True", all files in any sub-directories
are included (default = "False").
-->
<secureWebPages mode="RemoteOnly">
<file path="Default.aspx" secure="False" />
<file path="Lib/PopupCalendar.aspx" secure="Ignore" />
<file path="Members/ViewStatistics.aspx" />
<file path="Admin/MoreAdminStuff.aspx" secure="False" />
<directory path="/" />
<directory path="Admin" />
<directory path="Members/Secure" recurse="True" />
</secureWebPages>
<system.web>
<httpModules>
<add name="SecureWebPage" type="Hyper.Web.Security.SecureWebPageModule, WebPageSecurity" />
</httpModules>
<!-- DYNAMIC DEBUG COMPILATION
Set compilation debug="true" to enable ASPX debugging. Otherwise, setting this value to
false will improve runtime performance of this application.
Set compilation debug="true" to insert debugging symbols (.pdb information)
into the compiled page. Because this creates a larger file that executes
more slowly, you should set this value to true only when debugging and to
false at all other times. For more information, refer to the documentation about
debugging ASP.NET files.
-->
<compilation defaultLanguage="c#" debug="true" />
<!-- CUSTOM ERROR MESSAGES
Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable.
Add <error> tags for each of the errors you want to handle.
"On" Always display custom (friendly) messages.
"Off" Always display detailed ASP.NET error information.
"RemoteOnly" Display custom (friendly) messages only to users not running
on the local Web server. This setting is recommended for security purposes, so
that you do not display application detail information to remote clients.
-->
<customErrors mode="Off" />
<!-- AUTHENTICATION
This section sets the authentication policies of the application. Possible modes are "Windows",
"Forms", "Passport" and "None"
"None" No authentication is performed.
"Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to
its settings for the application. Anonymous access must be disabled in IIS.
"Forms" You provide a custom form (Web page) for users to enter their credentials, and then
you authenticate them in your application. A user credential token is stored in a cookie.
"Passport" Authentication is performed via a centralized authentication service provided
by Microsoft that offers a single logon and core profile services for member sites.
-->
<authentication mode="Windows" />
<!-- AUTHORIZATION
This section sets the authorization policies of the application. You can allow or deny access
to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous
(unauthenticated) users.
-->
<authorization>
<allow users="*" /> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>
<!-- APPLICATION-LEVEL TRACE LOGGING
Application-level tracing enables trace log output for every page within an application.
Set trace enabled="true" to enable application trace logging. If pageOutput="true", the
trace information will be displayed at the bottom of each page. Otherwise, you can view the
application trace log by browsing the "trace.axd" page from your web application
root.
-->
<trace enabled="false" requestLimit="10" pageOutput="true" traceMode="SortByTime" localOnly="true" />
<!-- SESSION STATE SETTINGS
By default ASP.NET uses cookies to identify which requests belong to a particular session.
If cookies are not available, a session can be tracked by adding a session identifier to the URL.
To disable cookies, set sessionState cookieless="true".
-->
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>
<!-- GLOBALIZATION
This section sets the globalization settings of the application.
-->
<globalization
requestEncoding="utf-8"
responseEncoding="utf-8"
/>
</system.web>
</configuration>
|
By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.
If a file you wish to view isn't highlighted, and is a text file (not binary), please
let us know and we'll add colourisation support for it.
I began programming on my Commodore 64 at around the age of 12. After migrating to DOS and then Windows, I decided to take on the Web. Several languages and platforms later, I have settled in with .NET nicely. I am currently the owner of a software consulting company and lead application developer for a learning-based technology consultation company.
The love of a finished application is usually at war with the desire to improve it as soon as it's released (they're never really finished).
Submit an article or tip