<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits>
<headerLimits>
<!--检测到目标主机可能存在缓慢的HTTP拒绝服务攻击-->
<add header="Content-type" sizeLimit="100" />
</headerLimits>
</requestLimits>
</requestFiltering>
</security>
<httpProtocol>
<customHeaders>
<!--检测到目标X-Content-Type-Options响应头缺失-->
<add name="X-Content-Type-Options" value="nosniff" />
<!--检测到目标X-XSS-Protection响应头缺失-->
<add name="X-XSS-Protection" value="1" />
<!--检测到目标Content-Security-Policy响应头缺失-->
<!-- <add name="Content-Security-Policy" value="default-src 'self'" /> -->
<!--检测到目标Strict-Transport-Security响应头缺失-->
<add name="Strict-Transport-Security" value="max-age=31536000" />
<!--检测到目标Referrer-Policy响应头缺失-->
<add name="Referrer-Policy" value="origin-when-cross-origin" />
<!--检测到目标X-Permitted-Cross-Domain-Policies响应头缺失-->
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<!--检测到目标X-Download-Options响应头缺失-->
<add name="X-Download-Options" value="noopen" />
<!--点击劫持:X-Frame-Options未配置-->
<add name="X-Frame-Options" value="deny" />
</customHeaders>
</httpProtocol>
</system.webServer>
<!-- <system.applicationHost> -->
<!--检测到目标主机可能存在缓慢的HTTP拒绝服务攻击-->
<!-- <webLimits connectionTimeout="00:00:30" headerWaitTimeout="00:00:10" dynamicIdleThreshold="150" minBytesPerSecond="512" /> -->
<!-- </system.applicationHost> -->
</configuration>
适当修改配置中的值再进行测试看看,重点参考IIS中的该配置的默认值进行调整
这一段注释去掉就报错啊,有注释下绿盟扫描通不过。