In IIS 7.5, you can add static HTTP Response headers, but I want to add an "Expires" header that always specifies a date that is 7 days in the future.
I'm running php 5.4, so I'd like a solution that can do this by editing the web.config file rather than some c# code solution.
I know how to add the header using php, but that won't help for static image file's http headers (jpg, gif, png, etc).
The header should look something like this:
Expires: Thu, 31 May 2012 10:59:25 GMT
How can I make it dynamically always show a date and time 7 days in the future?
Edit:
Notice that I have the expires header that I want on my php files:
http://web-sniffer.net/?url=http%3A%2F%2Fwww.bestds.com
However, I'm not able to specify a date that is 7 days ahead for the "Expires" key on png files (for example), I'm having to use a static date far in the future:
http://web-sniffer.net/?url=http%3A%2F%2Fwww.bestds.com%2Fimage%2Ftlogo.png
This is a standard feature of IIS. The HTTP Response Headers module allows you to set this common header. This results in the following web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" />
</staticContent>
</system.webServer>
</configuration>
You should do this only in the directories where you want this header to be send. Typically only directories with static content.
You can only add dynamic expires header using program code.
Source:
The Microsoft IIS Site
You should use Cache-Control max-age instead, like suggested in the other answer.
Related
How to remove cached files in browser by server response?
I have accidentally setup
Cache-Control:no-cache
Then Lots of my client's browser cached javascript files. I have change the server http status and new response should have
Expire:0
Cache-Control:no-store
But the cached file does not get latest files. So I was reading some article and tried to remove/change ETag header and tried adding
<customHeaders>
<add name="ETag" value=" " />
</customHeaders>
But it does not work. I also tried to disable all cache from Output Caching in IIS.
But it does not work.
How can I make the browser gets latest files without doing by user side?
Thank you!
To Disable client cache in iis you could use the HTTP Response Headers feature:
1)Open iis manager, select your site.
2)Doble click HTTP Response Headers from the middle pane.
3)On the HTTP Response Headers page, in the Actions pane, click Set Common Headers.
4)In the Set Common HTTP Response Headers dialog box, select the Expire Web content check box and select one of the following options:
Select Immediately if you want the content to expire immediately after it is sent in a response.
Select After if you want the content to expire periodically. Then, in the corresponding boxes, type an integer and select a time interval at which content expires. For example, type 1 and select Days if you want the content to expire daily.
Select On (in Coordinated Universal Time (UTC)) if you want the content to expire on a specific day and at a specific time. Then, in the corresponding boxes, select a date and time at which the content expires.
If you have access to the source code mall modern browsers will treat resources such as a CSS, Javascript as new versions if you append a query string to them which is unique.
E.g
http://www.example.com/test.js?v=1.1
You can disable cache for specific file and folder by using the location tag:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<!-- Specific file -->
<location path="test.js">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="DisableCache" />
</staticContent>
</system.webServer>
</location>
<!-- Folder including subfolders -->
<location path="folder/subfolder">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="DisableCache" />
</staticContent>
</system.webServer>
</location>
</configuration>
Using "URLRewrite", I were able to set the server header value to "" from IIS handled files. But it is still present in static content files like <link stylesheets>, <script Javascript Files> included in the header. Please let me know how to fix these issues.
For server tag value removal for all static files like .css/.js files, add this to web.config:
<configuration>
<modules runAllManagedModulesForAllRequests="true">
</configuration>
Above mentioned tag makes all the static files to be handled as managed code and hence not through handlers StaticFileModule,DefaultDocumentModule,DirectoryListingModule and will be handled through IsapiModule Handler. This will remove the server tag in the header response for Static files such as .js/.css files.
I recently tried to integrate WebMarkupMin, a run-time html minification library, into my site (C#, IIS 8, MVC 4). We have IIS compression enabled. I discovered that IIS actually compresses the action filter output stream, which means when I try to minify my html in an action filter, I am trying to minify already compressed content.
Question: At what point in the run-time process does IIS compress output? Is there any way to use mvc action filters to modify html ouptut without disabling IIS compression?
The IIS dynamic compression for ASP MVC output runs pretty late in the pipeline. In my test it was No. 315 out of 349 pipeline items and after all the asp.net modules ran.
To see the order of the executed modules in the IIS pipeline, set up Failed Request tracing (FREB) for your site and review the logs.
I would say there is no way in your MVC action filter to tell the compression module not to compress.
But you can turn compression off on a url basis:
In your web config use something like this:
<location path="my/long/route/">
<system.webServer>
<urlCompression doDynamicCompression="false" />
</system.webServer>
</location>
you are telling IIS to turn off dynamic compression for just that URL.
It is necessary assign to dynamicCompressionBeforeCache attribute a value equals to false:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
…
<system.webServer>
…
<httpCompression …>
…
</httpCompression>
<urlCompression … dynamicCompressionBeforeCache="false" />
…
</system.webServer>
…
</configuration>
I know this is an old issue but the error solved when I used UseResponseCompression before UseStaticFiles
app.UseResponseCompression();
app.UseStaticFiles(new StaticFileOptions
{
ServeUnknownFileTypes = true,
OnPrepareResponse = context => context.Context.Response.Headers.Add("Cache-Control", "public, max-age=2592000")
});
app.UseWebMarkupMin();
Our site is not currently safe from clickjacking, so I went into the web.config and added
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
</system.webServer>
This is very straight forward code. My issue is that it's just not working. The questions I have are:
Is there a way for me to see if the X-Frame-Options is in the header response? I looked for it with httpfox and got nothing, so I can't verify if the web.config is actually putting things in the header.
Why is this not working? What can I do to test or move forward?
I did try to add it in the Global.asax in the Application_Start method, but I cant seem to "hit" this method when I debug; it does not hit breakpoints.
private void Application_Start(object sender, EventArgs e)
{
// Code that runs on application startup
HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
LogHelper.Info("Cost of Care Web Application Starting");
}
I would like to add that I have tried to add it straight into the head tag and I've also tried to add it in a meta tag like so
<meta http-equiv="X-Frame-Options" content="deny">
The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in the middle.
In the Actions pane on the right side, click Add.
In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN or DENY in the Value field.
Click OK to save your changes.
Since my comments answered the question here's the end result:
For some reason setting the X-Frame-Options in web.config doesn't seem to actually work even though the documentation makes it sound like it should.
An easy work around is to set the headers manually using:
Response.AddHeader("X-Frame-Options", "DENY");
If you need this set for every request with no exceptions you can add the Application_BeginRequest to Global.asax:
protected void Application_BeginRequest()
{
Response.AddHeader("X-Frame-Options", "DENY");
}
The answer of siva.k does not work in connection with MVC5 as the header is generated twice here. The following code should work:
protected void Application_Start()
{
// MVC5 generates the "X-Frame-Options SAMEORIGIN" header by default, the following line disables the default behaviour
System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
protected void Application_BeginRequest()
{
Response.AddHeader("X-Frame-Options", "DENY");
}
The SuppressXFrameOptionsHeader flag was mentioned here: https://stackoverflow.com/a/20262211/3936440
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src: https:; frame-ancestors 'self' X-Frame-Options: SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
Your web.config entry needs to be under content security policy to make use of current coding not previously depreciated. The value under content security policy of value="default-src: https: is unique to your website.
The content that matters is what comes after 'value="default-src: https:' but most importantly is contained within Content Security Policy.
Here is another thing to consider:
If you have a separate back-end and UI projects (as is very common for REST based sites), make sure that you put X-Frame-Options in the UI web.config. Your API is probably allowing cross site calls so adding the header to your API project would make no sense.
I found that some file types (.asp and .htm files) were getting the X-Frame-Options header added by this mechanism and others (.js) weren't. Using the IIS Admin utility I removed the header from the application level and added it at the server level, and then all files were getting the header added.
Add expires headers in iis is very Easy,but this cache all the static files. now i want only
add expires headers to images,how can i do that? even i want cached specific file?
put all your images in one folder
enter the manager--> yoursite--> images folder (or specific file)
right click--> HTTP HEADERs--> Set expire header/date ! --> APPLY/OK
I've been searching for a simpler solution and I found this.
Keep your static content inside a folder (eg: css, js). Create a web.config file inside that folder. Add these following lines. Here 7 is the number of days, change it as you desire.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" />
</staticContent>
</system.webServer>
</configuration>
You are free to keep as many static content folder as you want, simply add this web.config file. Hope this helps.