How to remove cached files in browser by server response?
I have accidentally setup
Cache-Control:no-cache
Then Lots of my client's browser cached javascript files. I have change the server http status and new response should have
Expire:0
Cache-Control:no-store
But the cached file does not get latest files. So I was reading some article and tried to remove/change ETag header and tried adding
<customHeaders>
<add name="ETag" value=" " />
</customHeaders>
But it does not work. I also tried to disable all cache from Output Caching in IIS.
But it does not work.
How can I make the browser gets latest files without doing by user side?
Thank you!
To Disable client cache in iis you could use the HTTP Response Headers feature:
1)Open iis manager, select your site.
2)Doble click HTTP Response Headers from the middle pane.
3)On the HTTP Response Headers page, in the Actions pane, click Set Common Headers.
4)In the Set Common HTTP Response Headers dialog box, select the Expire Web content check box and select one of the following options:
Select Immediately if you want the content to expire immediately after it is sent in a response.
Select After if you want the content to expire periodically. Then, in the corresponding boxes, type an integer and select a time interval at which content expires. For example, type 1 and select Days if you want the content to expire daily.
Select On (in Coordinated Universal Time (UTC)) if you want the content to expire on a specific day and at a specific time. Then, in the corresponding boxes, select a date and time at which the content expires.
If you have access to the source code mall modern browsers will treat resources such as a CSS, Javascript as new versions if you append a query string to them which is unique.
E.g
http://www.example.com/test.js?v=1.1
You can disable cache for specific file and folder by using the location tag:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<!-- Specific file -->
<location path="test.js">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="DisableCache" />
</staticContent>
</system.webServer>
</location>
<!-- Folder including subfolders -->
<location path="folder/subfolder">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="DisableCache" />
</staticContent>
</system.webServer>
</location>
</configuration>
Related
I'm fairly new to IIS so apologies if this is a basic question.
I have an IIS config serving an internal company website (php instead of asp.net). The prod version of the website is at the 'Default Web Site' level and I've got demo and test versions of the website mapped as virtual directories. The demo and test version are essentially copies of the prod directory. I've noticed the with the web.config copied to these VDs, I get an error 500 on the root url for the VD only. I.E. main website is https://mainwebsite.com and works fine but https://mainwebsite.com/demo/ doesn't work while https://mainwebsite.com/demo/index.php works fine.
The web.config file is pretty basic:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
</handlers>
<defaultDocument>
<files>
<add value="index.php" />
</files>
</defaultDocument>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:03:00" />
</staticContent>
</system.webServer>
</configuration>
Moving the web.config file out of the way in the VD resolves the issue. Even though the files are identical, I wouldn't think that the file should cause a conflict as my understanding is that IIS supports multiple web config files.
Although I have a workaround in place by renaming or deleting the file, I am wondering if there's a way to keep the file in place without it causing this error.
Thanks to Panama Jack in the comments, I was able to resolve my issue.
I got this response with detailed errors:
Error Summary
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
And further down:
Config Error
Cannot add duplicate collection entry of type 'add' with unique key attribute 'value' set to 'index.php'
To resolve, I simply commented out this line in the web.config XML:
<add value="index.php" />
I'm sure there's a better way to approach this but for now, this gets me my answer and also how to get more info from IIS when the logs are not useful.
if you create a virtual directory to another web root
web.config will cause this (personally I think the location of this file is totally insane.. mixed with htm and images etc. )
Replicate the directory somewhere else without the web.config file/excluding it..then point the virtual directory there.. & have a task set up to copy newer files over..
Our site is not currently safe from clickjacking, so I went into the web.config and added
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
</system.webServer>
This is very straight forward code. My issue is that it's just not working. The questions I have are:
Is there a way for me to see if the X-Frame-Options is in the header response? I looked for it with httpfox and got nothing, so I can't verify if the web.config is actually putting things in the header.
Why is this not working? What can I do to test or move forward?
I did try to add it in the Global.asax in the Application_Start method, but I cant seem to "hit" this method when I debug; it does not hit breakpoints.
private void Application_Start(object sender, EventArgs e)
{
// Code that runs on application startup
HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
LogHelper.Info("Cost of Care Web Application Starting");
}
I would like to add that I have tried to add it straight into the head tag and I've also tried to add it in a meta tag like so
<meta http-equiv="X-Frame-Options" content="deny">
The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in the middle.
In the Actions pane on the right side, click Add.
In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN or DENY in the Value field.
Click OK to save your changes.
Since my comments answered the question here's the end result:
For some reason setting the X-Frame-Options in web.config doesn't seem to actually work even though the documentation makes it sound like it should.
An easy work around is to set the headers manually using:
Response.AddHeader("X-Frame-Options", "DENY");
If you need this set for every request with no exceptions you can add the Application_BeginRequest to Global.asax:
protected void Application_BeginRequest()
{
Response.AddHeader("X-Frame-Options", "DENY");
}
The answer of siva.k does not work in connection with MVC5 as the header is generated twice here. The following code should work:
protected void Application_Start()
{
// MVC5 generates the "X-Frame-Options SAMEORIGIN" header by default, the following line disables the default behaviour
System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
protected void Application_BeginRequest()
{
Response.AddHeader("X-Frame-Options", "DENY");
}
The SuppressXFrameOptionsHeader flag was mentioned here: https://stackoverflow.com/a/20262211/3936440
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src: https:; frame-ancestors 'self' X-Frame-Options: SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
Your web.config entry needs to be under content security policy to make use of current coding not previously depreciated. The value under content security policy of value="default-src: https: is unique to your website.
The content that matters is what comes after 'value="default-src: https:' but most importantly is contained within Content Security Policy.
Here is another thing to consider:
If you have a separate back-end and UI projects (as is very common for REST based sites), make sure that you put X-Frame-Options in the UI web.config. Your API is probably allowing cross site calls so adding the header to your API project would make no sense.
I found that some file types (.asp and .htm files) were getting the X-Frame-Options header added by this mechanism and others (.js) weren't. Using the IIS Admin utility I removed the header from the application level and added it at the server level, and then all files were getting the header added.
In IIS 7.5, you can add static HTTP Response headers, but I want to add an "Expires" header that always specifies a date that is 7 days in the future.
I'm running php 5.4, so I'd like a solution that can do this by editing the web.config file rather than some c# code solution.
I know how to add the header using php, but that won't help for static image file's http headers (jpg, gif, png, etc).
The header should look something like this:
Expires: Thu, 31 May 2012 10:59:25 GMT
How can I make it dynamically always show a date and time 7 days in the future?
Edit:
Notice that I have the expires header that I want on my php files:
http://web-sniffer.net/?url=http%3A%2F%2Fwww.bestds.com
However, I'm not able to specify a date that is 7 days ahead for the "Expires" key on png files (for example), I'm having to use a static date far in the future:
http://web-sniffer.net/?url=http%3A%2F%2Fwww.bestds.com%2Fimage%2Ftlogo.png
This is a standard feature of IIS. The HTTP Response Headers module allows you to set this common header. This results in the following web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" />
</staticContent>
</system.webServer>
</configuration>
You should do this only in the directories where you want this header to be send. Typically only directories with static content.
You can only add dynamic expires header using program code.
Source:
The Microsoft IIS Site
You should use Cache-Control max-age instead, like suggested in the other answer.
I installed Umbraco 4.5 and it is running fine. one thing i cant get to work though, is the 404. When it hit a page that does not excist it shows the default IIS7 404 page, and not the built-in umbraco 404 page.
So i am asuming it is a setting in the iis i have to change - but which?
Copy from http://our.umbraco.org/forum/using/ui-questions/8244-IIS7--404:
Basically, you need to add
<location path="Site Description">
<system.webServer>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
</location>
to your applicationHost.config file where "Site Description" is the name of your site in IIS7.
The applicationHost.config file is located in: system32\inetsrv\config
Edit:
As stated in the comments if this answer, you should add this section in your web.config instead which is way better, you should always avoid altering config files outside your own application that may affect other applications.
in config/umbraco.settings you can set the umbraco page to load for custom 404
<errors>
<!-- the id of the page that should be shown if the page is not found -->
<!-- <errorPage culture="default">1</errorPage>-->
<!-- <errorPage culture="en-US">200</errorPage>-->
<error404>1296`</error404>`
</errors>
The page error page ID goes between the <error404> & </error404> tags.
Add expires headers in iis is very Easy,but this cache all the static files. now i want only
add expires headers to images,how can i do that? even i want cached specific file?
put all your images in one folder
enter the manager--> yoursite--> images folder (or specific file)
right click--> HTTP HEADERs--> Set expire header/date ! --> APPLY/OK
I've been searching for a simpler solution and I found this.
Keep your static content inside a folder (eg: css, js). Create a web.config file inside that folder. Add these following lines. Here 7 is the number of days, change it as you desire.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" />
</staticContent>
</system.webServer>
</configuration>
You are free to keep as many static content folder as you want, simply add this web.config file. Hope this helps.