The "Common Exploit Blocking" rule will prevent certain types of information from being passed to your application in the querystring. It will provide additional protection against certain types of attacks. This configuration will work for most web sites, however, it is possible that your application may fail to work if it uses querystring values that are blocked by this rule (unlikely to happen).
The "Redirect to HTTPS" section requires that you have SSL on your web site. It is good practicve to add SSL to your site even if you do not transact commerce. This rule will force the use of https on all pages of your site. If you implement this rule you should be certain that you use relative links in your source code and/or specify https for all absolute links. This will insure all url's within your site use https and it will prevent mixed content errors in the browser.
The outbound rules will mask the server type/version that you are using to host your site. This may provide additional security, albeit minimal. In most cases, the bad guys can figure out what type of server you are using even though these rules are implemented.
In the example web.config below, you will need to replace "www.yourdomain.com" with your domain name.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Common Exploit Blocking" stopProcessing="true">
<match url="^(.*)$" />
<conditions logicalGrouping="MatchAny">
<add input="{QUERY_STRING}" pattern="mosConfig_[a-zA-Z_]{1,21}(=|\%3D)" />
<add input="{QUERY_STRING}" pattern="base64_encode.*\(.*\)" />
<add input="{QUERY_STRING}" pattern="(\<|%3C).*script.*(\>|%3E)" />
<add input="{QUERY_STRING}" pattern="GLOBALS(=|\[|\%[0-9A-Z]{0,2})" />
<add input="{QUERY_STRING}" pattern="_REQUEST(=|\[|\%[0-9A-Z]{0,2})" />
</conditions>
<action type="Redirect" url="https://www.yourdomain.com" appendQueryString="false" logRewrittenUrl="true" redirectType="SeeOther" />
</rule>
<rule name="Redirect to HTTPS" stopProcessing="false">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://www.yourdomain.com/{R:1}" />
</rule>
</rules>
<outboundRules>
<rule name="Mask Server Version">
<match serverVariable="RESPONSE_SERVER" pattern=".+" />
<action type="Rewrite" value="CeraNet" />
</rule>
<rule name="Remove Powered By">
<match serverVariable="RESPONSE_X-POWERED-BY" pattern=".+" />
<action type="Rewrite" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>