I have a webPI running in localhost fine but when I publish it in IIS this request fails: http://planificador.fyseg.com/#/proyectos/X0000088/empleado/112/plan/horas
This same request in localhost works fine: http://localhost:5000/#/proyectos/X0000088/empleado/112/plan/horas
The error is this:
'http://planificadorwebapi.fyseg.com/api/proyectos/X0000088/fechainicio/2018-05-22T22:00:00.000Z/fechafin/2020-01-30T23:00:00.000Z/horas' from origin 'http://planificador.fyseg.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I have the webAPI configured like this
But at same time other requests to the same API from the same domain works, for exmaple
http://planificadorwebapi.fyseg.com/api/contratos/X0000088/mes/5/anio/2018/acumular/false
Any idea Please?
regards
According to your description, I suggest you could check the plan horas method to make sure there is no special cros setting for this method.
If not, I suggest you could try to add below setting in your IIS application's web.config file.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Related
I am running a WebApp on a Server and I would like to change the Content Security Policy to enable iFrame embedding for all external WebSites.
Currently I get the following error:
...in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'
How can I allow iFrame embedding for all WebSites on my IIS Server?
According to your description, I suggest you could try to use the custom header in the web.config. This setting will mark all the response add the frame setting.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';frame-ancestors my-trusty-site.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
I have API which is valid for POST/GET/PUT verb but if hacker intercepts the request and change method to 'OPTIONS' instead of 'GET', he will get below error in http response -
Allow: GET,POST,PUT
{
"Message": "The requested resource does not support http method 'OPTIONS'."
}
This allows hacker to identify what verbs supported by API. I have to restrict this header in response.
I tried removing 'WebDav' module but it still showing same message. I don't want hacker to see this message and Allow header.
According to your requirement, I assumed that you could specific the supported verbs in Web.config file as follows:
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
<add verb="PUT" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
If the client trys to access your Api with other verbs, it would receive the 404 status code. Additionally, you'd better enable authentication in your Web API for better security consideration.
I am running IIS 8.5 on a Windows Server 2012 R2. I have configured a WebAPI (built on ASP.net) web site to use HTTPS (self-signed) with IIS Client Certificate Mapping for client certificate authentication. I am using the ManyToOneMapping where I have defined one local account to be associated to the client certificate with the incoming request. Furthermore, I have defined a Rule in the mapping so that if the "Subject" field in the certificate contains a certain string then it should allow the request.
Now, when I hit the url in the API application, Firefox prompts me to select the certificate to be used (as expected). And when i select one of the certificates that does not contain that string defined in the mapping Rule, the browser is still served with the resource. I was expected a forbidden response instead. So, it would appear that the Client Certificate mapping is not working as expected.
As I am new to IIS, I am wondering how I could go about to find out how to troubleshoot this situation. Thanks in advance.
Here is snippet from the applicationhost.config file:
<location path="SimpleApi" overrideMode="Allow">
<system.webServer>
<security>
<authentication>
<iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="false">
<manyToOneMappings>
<add name="Authorized Access" description="Some long description" userName="SomeUser" password="[enc:AesProvider:removed:enc]">
<rules>
<clear />
<add certificateField="Subject" certificateSubField="OU" matchCriteria="Admin" />
</rules>
</add>
</manyToOneMappings>
<oneToOneMappings />
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
</system.webServer>
</location>
<location path="SimpleApi">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
</security>
</system.webServer>
</location>
The only possibility is you have other authentication mechanism enabled for your website and it is simply falling back to that authentication mechanism.
Check the Authentication module for your website in IIS and disable all other authentication mechanism.
I'm trying to stop MS Azure responding with the header/value of Server: HTTPAPI/2.0 on receipt of an invalid request, for example an invalid hostname.
I've seen this SO entry...
Removing Server and X-Powered-By HTTP Headers on Azure Web Site Preview
..and one answer suggests that the only way to get around this is to host the website on an Azure VM, something I'd much rather avoid.
It's 3.5 years on from that question/answer - does anyone know if it can now be suppressed in a WebApp solution
According the description at Remove standard server headers in Azure Web Sites:
HTTP headers are part of the communication process between web servers and browsers, and are included in the request and response. One example is the server header, which lists the product name and version of the web server (e.g., Microsoft-IIS/8.0). All web servers generate these headers, but now you can disable them on Azure Web Sites.
You can try to modify or create a new web.config in the root directory of your application on Azure Web Apps, with following content:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
Please refer to https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/ for more info.
To remove the MVC header, add this in Global.asax - Application Start event:
MvcHandler.DisableMvcResponseHeader = true;
Using this will remove the version headers,
<httpRuntime enableVersionHeader="false" />
I have deployed a Web API project to Azure Web app. And from a angularjs app I am trying a $http.get request to the API. but it gives a CORS(cross-origin) exception though I have enabled it in my Web API startup config
app.UseCors(CorsOptions.AllowAll);
I want to Enable CORS for Azure Web App, that would solve the problem I believe
EDIT
http://nearestbuyweb.azurewebsites.net/ this is the URL of the Web app. It is trying to access http://nearestbuyapi.azurewebsites.net/api/MenuBar where the exception occurs.
I think it is not possible with Azure Web App. MSDN Question
Please help!
Note: You use CORS settings to let other websites access your site's API. Not to access other site's APIs.
Based on your comments it sounds like you're getting the CORS error when you try to make external requests from your site. That's exactly the behavior CORS is supposed to block.
For the errors to go away you would have to apply the CORS config settings on the site who's API you're trying to access.
In your case you want to make sure you're applying the config changes on the http://nearestbuyapi.azurewebsites.net site. NOT on http://nearestbuyweb.azurewebsites.net/
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>
</httpProtocol>
</system.webServer>
I have CORS in Azure working using this:
WebApiConfig.cs:
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Web API configuration and services
config.EnableCors();
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "PublicApi",
routeTemplate: "api/v1/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
}
Web.config:
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers></system.webServer>
You need to remove the options handler in IIS using web.config.
http://eugeneagafonov.com/post/38312919044/iis-options-cors-aspnet-webapi-en
Sorry Guys,
The issue happens only at my corporate network. Having googled I found that corporate network can be disable CORS requests . Found this here link