Web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.web>
      <authentication mode="Windows" />
      <customErrors mode="Off" />
    </system.web>
    <system.webServer>
      <security>
        <requestFiltering>
          <!-- 64kb should be enough even for the largest CSRs -->
          <requestLimits maxAllowedContentLength="65536" />
        </requestFiltering>
        <!-- 
        You should probably disable or tune this if you use the API behind a load balancer, or if
        you have clients requesting large amounts of certificates (e.g. TameMyCerts.WSTEP)
        -->
        <dynamicIpSecurity enableLoggingOnlyMode="false">
          <denyByConcurrentRequests enabled="true" maxConcurrentRequests="10" />
          <denyByRequestRate enabled="true" maxRequests="20" requestIntervalInMilliseconds="200" />
        </dynamicIpSecurity>
      </security>
      <directoryBrowse enabled="false" />
      <httpProtocol>
        <customHeaders>
          <remove name="X-Powered-By" />
          <add name="Referrer-Policy" value="origin-when-cross-origin" />
          <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
          <add name="X-Frame-Options" value="DENY" />
          <add name="X-Xss-Protection" value="1; mode=block" />
          <add name="X-Content-Type-Options" value="nosniff" />
          <add name="X-Permitted-Cross-Domain-Policies" value="none" />
        </customHeaders>
      </httpProtocol>
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\TameMyCerts.REST.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
    </system.webServer>
  </location>
</configuration>