<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <!-- Empêcher l'héritage du web.config parent -->
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <!-- Handler ASP.NET Core -->
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      
      <!-- Configuration ASP.NET Core -->
      <aspNetCore processPath="dotnet"
                  arguments=".\TVToolsBlazor.dll"
                  stdoutLogEnabled="true"
                  stdoutLogFile=".\logs\stdout"
                  hostingModel="inprocess">
        <environmentVariables>
          <environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Production" />
        </environmentVariables>
      </aspNetCore>

      <!-- Désactiver les modules hérités -->
      <modules runAllManagedModulesForAllRequests="false">
        <remove name="FormsAuthentication" />
      </modules>
    </system.webServer>
  </location>
  
  <!-- Configuration globale (hors location) -->
  <system.webServer>
    <!-- Headers HTTP de sécurité -->
    <httpProtocol>
      <customHeaders>
        <remove name="X-Frame-Options" />
        <remove name="Referrer-Policy" />
        <add name="X-Frame-Options" value="SAMEORIGIN" />
        <add name="Referrer-Policy" value="strict-origin-when-cross-origin" />
      </customHeaders>
    </httpProtocol>
        
    <!-- Compression -->
    <urlCompression doStaticCompression="true" doDynamicCompression="true" />
    
    <!-- Sécurité basique -->
    <security>
      <requestFiltering>
        <!-- Limiter la taille des requêtes -->
        <requestLimits maxAllowedContentLength="10485760" />
      </requestFiltering>
    </security>
    
    <!-- Règles de réécriture pour bloquer l'accès aux fichiers sensibles -->
    <rewrite>
      <rules>
        <!-- Bloquer l'accès aux fichiers de configuration -->
        <rule name="Block Config Files" stopProcessing="true">
          <match url=".*\.(config|json|dll|pdb|cs)$" />
          <action type="CustomResponse" statusCode="404" />
        </rule>
        
        <!-- Bloquer l'accès au dossier Plugins -->
        <rule name="Block Plugins Folder" stopProcessing="true">
          <match url="^Plugins/.*" />
          <action type="CustomResponse" statusCode="404" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>