<?xml version="1.0" encoding="utf-8"?>
<configuration>

  <system.web>
    <!-- Compilation -->
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" requestValidationMode="2.0" />

    <!-- ✅ REQUIRED: Session for token validation -->
    <sessionState mode="InProc" cookieless="false" timeout="20" />

    <!-- Optional: Better error visibility on localhost -->
    <customErrors mode="Off" />
  </system.web>

  <system.webServer>

    <!-- ✅ Security Hardening -->
    <security>
      <requestFiltering removeServerHeader="true">
        <fileExtensions>
          <!-- Allow CSV for internal storage -->
          <remove fileExtension=".csv" />
          <add fileExtension=".csv" allowed="true" />
        </fileExtensions>
      </requestFiltering>
    </security>

    <!-- ✅ Static file protection (prevent direct CSV download) -->
    <handlers>
      
    </handlers>

    <!-- ✅ Security Headers -->
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        
    
      </customHeaders>
    </httpProtocol>

    <!-- ✅ Ensure proper error details in IIS -->
    <httpErrors errorMode="Detailed" />

  </system.webServer>

</configuration>