【修正前】web.config.sample 【修正後】web.config.sample
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<configuration> <configuration>
  <system.webServer>   <system.webServer>
    <!-- Don't show directory listings for URLs which map to a directory. -->     <!-- Don't show directory listings for URLs which map to a directory. -->
    <directoryBrowse enabled="false" />     <directoryBrowse enabled="false" />
    <rewrite>     <rewrite>
      <rules>       <rules>
        <rule name="Protect files and directories from prying eyes" stopProcessing="true">         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
          <match url="\.(app|src)$" />           <match url="\.(app|src)$" />
          <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
        </rule>         </rule>
        <rule name="Force simple error message for requests for non-existent favicon.ico" stopProcessing="true">         <rule name="Force simple error message for requests for non-existent favicon.ico" stopProcessing="true">
          <match url="favicon\.ico" />           <match url="favicon\.ico" />
          <conditions>           <conditions>
              <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />               <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
          </conditions>           </conditions>
          <action type="CustomResponse" statusCode="404" subStatusCode="1" statusReason="File Not Found" statusDescription="The requested file favicon.ico was not found" />           <action type="CustomResponse" statusCode="404" subStatusCode="1" statusReason="File Not Found" statusDescription="The requested file favicon.ico was not found" />
        </rule>         </rule>
        <!-- Rewrite URLs of the form 'x' to the form 'index.php/x'. -->         <!-- Rewrite URLs of the form 'x' to the form 'index.php/x'. -->
        <rule name="Short URLs" stopProcessing="true">         <rule name="Short URLs" stopProcessing="true">
          <match url="^(.*)$" ignoreCase="false" />           <match url="^(.*)$" ignoreCase="false" />
          <conditions>           <conditions>
            <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />             <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />             <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
            <add input="{URL}" pattern="^(.*)\.(gif|png|jpe?g|css|ico|js|svg)$" ignoreCase="false" negate="true" />             <add input="{URL}" pattern="^(.*)\.(gif|png|jpe?g|css|ico|js|svg)$" ignoreCase="false" negate="true" />
          </conditions>           </conditions>
          <action type="Rewrite" url="index.php/{R:1}" appendQueryString="true" />           <action type="Rewrite" url="index.php/{R:1}" appendQueryString="true" />
        </rule>         </rule>
      </rules>       </rules>
    </rewrite>     </rewrite>
           
    <security>     <security>
      <requestFiltering>       <requestFiltering>
        <denyUrlSequences>         <denyUrlSequences>
          <add sequence="composer" />           <add sequence="composer" />
          <add sequence="autoload" />           <add sequence="autoload" />
          <add sequence="cli-config" />           <add sequence="cli-config" />
          <add sequence="COPYING" />           <add sequence="COPYING" />
        </denyUrlSequences>         </denyUrlSequences>
        <fileExtensions>         <fileExtensions>
          <add fileExtension=".ini" allowed="false" />           <add fileExtension=".ini" allowed="false" />
          <add fileExtension=".lock" allowed="false" />           <add fileExtension=".lock" allowed="false" />
          <add fileExtension=".dist" allowed="false" />           <add fileExtension=".dist" allowed="false" />
          <add fileExtension=".git" allowed="false" />           <add fileExtension=".git" allowed="false" />
          <add fileExtension=".sh" allowed="false" />           <add fileExtension=".sh" allowed="false" />
          <add fileExtension=".bak" allowed="false" />           <add fileExtension=".bak" allowed="false" />
          <add fileExtension=".swp" allowed="false" />           <add fileExtension=".swp" allowed="false" />
        </fileExtensions>         </fileExtensions>
      </requestFiltering>       </requestFiltering>
    </security>     </security>
           
    <httpErrors>     <httpErrors>
      <remove statusCode="404" subStatusCode="-1" />       <remove statusCode="404" subStatusCode="-1" />
      <error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />       <error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
    </httpErrors>     </httpErrors>
   
.      <httpProtocol>
        <customHeaders>
          <add name="X-Frame-Options" value="SAMEORIGIN" />
          <add name="X-XSS-Protection" value="1; mode=block" />
          <add name="X-Content-Type-Options" value="nosniff"/>
        </customHeaders>
      </httpProtocol>
   
    <defaultDocument>     <defaultDocument>
      <!-- Set the default document -->       <!-- Set the default document -->
      <files>       <files>
        <remove value="index.php" />         <remove value="index.php" />
        <add value="index.php" />         <add value="index.php" />
      </files>       </files>
    </defaultDocument>     </defaultDocument>
  </system.webServer>   </system.webServer>
</configuration> </configuration>