Using "URLRewrite", I were able to set the server header value to "" from IIS handled files. But it is still present in static content files like <link stylesheets>, <script Javascript Files> included in the header. Please let me know how to fix these issues.
For server tag value removal for all static files like .css/.js files, add this to web.config:
<configuration>
<modules runAllManagedModulesForAllRequests="true">
</configuration>
Above mentioned tag makes all the static files to be handled as managed code and hence not through handlers StaticFileModule,DefaultDocumentModule,DirectoryListingModule and will be handled through IsapiModule Handler. This will remove the server tag in the header response for Static files such as .js/.css files.
Related
Ok, so... famous saying... this works locally, but not when I deploy.
I recently switched to using Less.js so that I could dynamically change my less variables with Javascript. Again, locally this works like a champ.
In my header I have it referenced:
<link rel="stylesheet/less" type="text/css" href="~/Content/main.less" />
<script src="//cdnjs.cloudflare.com/ajax/libs/less.js/3.9.0/less.min.js"></script>
When I use Visual Studio to deploy this to my Azure App Service I get a 404 on the less file and it all breaks.
I FTP'd into my server and the file is indeed there. https://i.imgur.com/cV5FQOW.png
I double checked to make sure that my properties for the less file are right. I have the build action set to Content and Copy if Newer. https://i.imgur.com/I3DbfHg.png
No matter what I do, if I go looking for that main.less file the azure server returns a 404.
As an FYI, the site is a ASP.Net MVC 5 website. I am using bundling, but only for external css like JQueryUI. I have removed the bundling of my CSS to work with the new stuff.
What am I missing?
Ok! After a bunch of attempts and searches I finally found a related error and found my solution.
This poor gentleman was having an issue serving up JSON files (angular2 app, http request for file json file, 404 on azure) and that made me think I had the same problem.
Eureka! I needed to update my web.config to let it serve LESS files.
<system.webServer>
<staticContent>
<mimeMap fileExtension=".less" mimeType="text/css" />
</staticContent>
<system.webServer>
Hope this helps someone else who runs into the same issue.
I recently tried to integrate WebMarkupMin, a run-time html minification library, into my site (C#, IIS 8, MVC 4). We have IIS compression enabled. I discovered that IIS actually compresses the action filter output stream, which means when I try to minify my html in an action filter, I am trying to minify already compressed content.
Question: At what point in the run-time process does IIS compress output? Is there any way to use mvc action filters to modify html ouptut without disabling IIS compression?
The IIS dynamic compression for ASP MVC output runs pretty late in the pipeline. In my test it was No. 315 out of 349 pipeline items and after all the asp.net modules ran.
To see the order of the executed modules in the IIS pipeline, set up Failed Request tracing (FREB) for your site and review the logs.
I would say there is no way in your MVC action filter to tell the compression module not to compress.
But you can turn compression off on a url basis:
In your web config use something like this:
<location path="my/long/route/">
<system.webServer>
<urlCompression doDynamicCompression="false" />
</system.webServer>
</location>
you are telling IIS to turn off dynamic compression for just that URL.
It is necessary assign to dynamicCompressionBeforeCache attribute a value equals to false:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
…
<system.webServer>
…
<httpCompression …>
…
</httpCompression>
<urlCompression … dynamicCompressionBeforeCache="false" />
…
</system.webServer>
…
</configuration>
I know this is an old issue but the error solved when I used UseResponseCompression before UseStaticFiles
app.UseResponseCompression();
app.UseStaticFiles(new StaticFileOptions
{
ServeUnknownFileTypes = true,
OnPrepareResponse = context => context.Context.Response.Headers.Add("Cache-Control", "public, max-age=2592000")
});
app.UseWebMarkupMin();
Our site is not currently safe from clickjacking, so I went into the web.config and added
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
</system.webServer>
This is very straight forward code. My issue is that it's just not working. The questions I have are:
Is there a way for me to see if the X-Frame-Options is in the header response? I looked for it with httpfox and got nothing, so I can't verify if the web.config is actually putting things in the header.
Why is this not working? What can I do to test or move forward?
I did try to add it in the Global.asax in the Application_Start method, but I cant seem to "hit" this method when I debug; it does not hit breakpoints.
private void Application_Start(object sender, EventArgs e)
{
// Code that runs on application startup
HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
LogHelper.Info("Cost of Care Web Application Starting");
}
I would like to add that I have tried to add it straight into the head tag and I've also tried to add it in a meta tag like so
<meta http-equiv="X-Frame-Options" content="deny">
The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in the middle.
In the Actions pane on the right side, click Add.
In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN or DENY in the Value field.
Click OK to save your changes.
Since my comments answered the question here's the end result:
For some reason setting the X-Frame-Options in web.config doesn't seem to actually work even though the documentation makes it sound like it should.
An easy work around is to set the headers manually using:
Response.AddHeader("X-Frame-Options", "DENY");
If you need this set for every request with no exceptions you can add the Application_BeginRequest to Global.asax:
protected void Application_BeginRequest()
{
Response.AddHeader("X-Frame-Options", "DENY");
}
The answer of siva.k does not work in connection with MVC5 as the header is generated twice here. The following code should work:
protected void Application_Start()
{
// MVC5 generates the "X-Frame-Options SAMEORIGIN" header by default, the following line disables the default behaviour
System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
protected void Application_BeginRequest()
{
Response.AddHeader("X-Frame-Options", "DENY");
}
The SuppressXFrameOptionsHeader flag was mentioned here: https://stackoverflow.com/a/20262211/3936440
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src: https:; frame-ancestors 'self' X-Frame-Options: SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
Your web.config entry needs to be under content security policy to make use of current coding not previously depreciated. The value under content security policy of value="default-src: https: is unique to your website.
The content that matters is what comes after 'value="default-src: https:' but most importantly is contained within Content Security Policy.
Here is another thing to consider:
If you have a separate back-end and UI projects (as is very common for REST based sites), make sure that you put X-Frame-Options in the UI web.config. Your API is probably allowing cross site calls so adding the header to your API project would make no sense.
I found that some file types (.asp and .htm files) were getting the X-Frame-Options header added by this mechanism and others (.js) weren't. Using the IIS Admin utility I removed the header from the application level and added it at the server level, and then all files were getting the header added.
I started to do some experimentation with iisnode and expressjs to create a REST like API with node.
So on the server.js I created something like
app.put("/test", function(req, res){
...
});
However, when I execute the PUT request I get a 405 Method not allowed from the IIS 7.5 installation.
Any idea on how to solve this?
BTW, I googled already and tried to add the PUT verbs here and there in the different Handler Mappings with no success...
I now finally found the solution to this problem namely the WebDavModule was blocking my PUT requests.
To resolve the issue:
Open your IIS Manager
Goto your application configuration and open "Modules"
Search WebDavModule and remove it (menu on the right)
It then worked for me.
Alternatively, in your application's web.config add
<system.webServer>
...
<modules>
<remove name="WebDAVModule"/>
</modules>
</system.webServer>
One reason may be that your web.config does not map the particular request you are making to the iisnode handler. In that case the request is picked up by the static request handler which does not support PUT methods and responds with a 405.
To fix this you need a iisnode handler registration like this in your web.config: https://github.com/tjanczuk/iisnode/blob/master/src/samples/helloworld/web.config#L7
In addition, if you plan to use URL that do not end with the name of your node.js file (like seems to be the case above), you will need to use a URL rewrite module to tell IIS exactly which requests should have their URLs rewritten to point to the URL of your node.js entry point. Read more at: http://tomasz.janczuk.org/2011/08/using-url-rewriting-with-nodejs.html
Add expires headers in iis is very Easy,but this cache all the static files. now i want only
add expires headers to images,how can i do that? even i want cached specific file?
put all your images in one folder
enter the manager--> yoursite--> images folder (or specific file)
right click--> HTTP HEADERs--> Set expire header/date ! --> APPLY/OK
I've been searching for a simpler solution and I found this.
Keep your static content inside a folder (eg: css, js). Create a web.config file inside that folder. Add these following lines. Here 7 is the number of days, change it as you desire.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" />
</staticContent>
</system.webServer>
</configuration>
You are free to keep as many static content folder as you want, simply add this web.config file. Hope this helps.