I have a website running on IIs 8.5 on Windows 2012. Everytime I use Visual Studio 2015 to publish to this site, X-Frame-Options Deny is added.
I need this totally removed. I've found articles like MVC 5 Prevents access to content via Iframe suggesting to use:
protected void Application_Start()
{
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
However, this does not work. Any suggestions?
I just noticed in IIS that at the server level, it had X-Frame-Options Deny. When I removed this, and republished to the site, X-Frame-Options did not appear.
It must have been inheriting from the server setting.
Related
I have a website which sits on a non-public domain and is delivered via a proxy through on a different domain. We're having some trouble with caching of content - this is an Umbraco site and making changes updates the pages if you hit the domain directly, but not through the proxy.
I've been informed that the proxy honours response headers and setting an eTag would fix the issue. Having looked into this I can see that IIS sets the eTag by default, and I can see this is working on static content i.e. .js, .css files like so:
However, if I visit a page on the site, for example /uk/products/product I don't see the eTag header.
Is this expected behaviour, should it only be working with those static content files or can I set this on the page to tell the proxy that it should recache?
The ETag HTTP response header is an identifier for a specific version of a resource. It lets caches be more efficient and save bandwidth, as a web server does not need to resend a full response if the content has not changed. Additionally,etags help prevents simultaneous updates of a resource from overwriting each other ("mid-air collisions").
If the resource at a given URL changes, a new Etag value must be generated.
Static content does not change from request to request. The content that gets returned to the Web browser is always the same. Examples of static content include HTML, JPG, or GIF files.
IIS automatically caches static content (such as HTML pages, images, and style sheets), since these types of content do not change from request to request. IIS also detects changes to the files when you make updates, and IIS flushes the cache as needed.
to enable caching in iis you could use iis output caching feature:
1)open iis manager. select site.
2)select the output caching feature from the middle pane.
3)select edit feature setting from the middle pane.
4)check the enable cache and enable kernel cache box and click ok.
if you want to set the ETag as blank you could also do by adding below code in web.config file:
<httpProtocol>
<customHeaders>
<add name="ETag" value="" />
</customHeaders>
</httpProtocol>
refer this below article for more detail:
Caching
To use or not to use ETag, that is the question.
Configure IIS Output Caching
I've read that IIS after version 7 automatically enables E-tags, however, I ran a Pingdom speed test and the report advised me to enable E-tags. I'm not sure that report is accurate, or the information I read about IIS 7 and newer may not be correct.
My setup:
Windows Server 2012
IIS 8.5
SharePoint 2013
The SharePoint site is configured to requeire client certificate. If the user has no valid certificate or the password was wrong IIS returns error code 403 in response header. I would like IIS to return a custom error page instead where I could guide the user how to fix the issue.
There are just to many options where I can configure error pages. Which is the right one?
In IIS I have three possible sites to configure.
Default Web Site
My web application
My web aplication port 443
Custom errors in web.config
Error Pages in IIS
.Net Error Pages in IIS
I have tried some of these options but with no success. Can anybody help me?
Just edit the web.config file in your Visual Studio solution, modify the customErrors section and then check the file into Github to trigger a new deployment.
If you don't use VS, then find your web.config file. Worst case scenario you can edit it directly.
I've create a new project in Visual Studio 2013. It is a HTML Application with TypeScript project. When I deploy it (Ctrl-F5, or F5), I do not see changes that I've made to my html/css/ts files. How do I get VS to redeploy the site to IIS Express?
I should add that this is very non-deterministic.
I should add that this only seems to be a problem with IE, not with Chrome.
As you notice different behaviour between browsers, you should suspect the web browser.
You can force a reload of the page in Internet Explorer with Ctrl+F5.
You may also want to set the HTTP expires header by using a clientCache entry in the web.config file:
"The element of the element specifies cache-related HTTP headers that IIS 7 and later sends to Web clients, which control how Web clients and proxy servers will cache the content that IIS 7 and later returns.
For example, the httpExpires attribute specifies a date and time that the content should expire, and IIS 7 and later will add an HTTP "Expires" header to the response. The value for the httpExpires attribute must be a fully-formatted date and time that follows the specification in RFC 1123. For example: Fri, 01 Jan 2010 12:00:00 GMT"
...but do remember to set it appropriately for the actual web site when you deploy it "for real". Or you might decide that using cacheControlMaxAge is more suitable.
I had created a simple portal site for our internal users, just a CSS menu with our internal web services which then displayed in an iFrame. Worked well so far.
Our helpdesk software was GLPI running on APACHE on the same server and had no issues. We recently upgraded to the latest version and in the meantime I moved it to our new web apps server and switched to IIS. The 'portal' is still hosted on the old server.
When I updated the javascript for the iFrame to point to the new address, it looked like it worked, I could get the login screen for GLPI. After logging in however I just get stuck at a white screen. If I try it in IE I get the message:
This content cannot be displayed in a frame
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be
displayed in a frame.
What you can try:
Open this content in a new window
It doesn't seem to be the iFrame itself as I can get the login page.
My question is, can anyone give me some ideas on where to look at this issue? I've checked the IIS logs on both sides and see no errors, GLPI reports no errors, neither does PHP.
GLPI is on IIS 8 on Server 2012
The 'portal' is on IIS 6 on server 2003
GLPI running on PHP 5.3.0
EDIT: I've looked into the X-FRAME issue and I'm pretty sure this is not it, servers are on the same domain and I am able to get to the login screen of the second server through the iFrame, just no content after that. If it was an issue with the frame or permissions I would expect to not get to the site at all?
The only header response currently in IIS is 'X-Powered-By --> ASP.NET' am I looking in the wrong spot?
The server is returning an X-Frame-Options header used to prevent ClickJacking. That header must be removed (or updated with an Allow-From directive that lists the framing page's origin) in order for the target page to be rendered as a subframe.
can dynamic pages be compressed and given an etag too?
Any ideas? I'm missing Apache quite a lot. Hope someone can help! :)
To enable dynamic compression, use Microsoft Web Platform Installer to ensure that "IIS: Dynamic Content Compression" is installed. Then open up IIS Manager and click on the server (or to a site if you only want to enable this for an individual site, gets stored in web.config under site root so be careful not to overwrite), and go to Compression and ensure "Enable dynamic content compression" is ticked. This is for IIS7, let me know if you want this for IIS6.
For etags on aspx pages add to Page_PreInit (or Page_Init if Master page):
if (Request.Headers["If-None-Match"] == "somekey")
{
Response.StatusCode = (int)System.Net.HttpStatusCode.NotModified;
Response.End();
}
And to Page_Load:
Response.Cache.SetCacheability(HttpCacheability.Public);
Response.Cache.SetETag("somekey");
Where somekey could be the last modified date stored in the database for the page if it's some content management system.