0

For an unknown ASP.NET application running under IIS, where can I find where a given response header is set?

Having a comprehensive list would be quite useful to all of us, so please contribute what you know.

Specifics

In my case, I have an ASP.NET MVC application running on IIS 7.0, in integrated pipeline mode. This is a dev environment, with no load-balancers or CDNs to get in the way. I have access to the source code, but haven't been able to find the culprit. I'm looking for the origin of the X-Frame-Options header, of which I have two, with conflicting values of DENY and SAMEORIGIN.

Where should I look for these two, conflicting values?

Similar questions

  • There's a similar question, specific to Max-Age which has an open bounty at the time of this writing. The reason this question is different is that Max-Age is more likely to be set by a third-party, such as a CDN or reverse-proxy, adding even more complication to the mixture.
  • Django/NGinx-specific, unanswered
  • Same problem on IIS6, no resolution
jpaugh
  • 6,634
  • 4
  • 38
  • 90
  • There's any number of ways the header could be set. Stack Overflow, however, is not a forum for collecting those ways. – Chris Pratt Jun 07 '17 at 16:28
  • OP's response to **too broad** close vote: This question has many potential quite specific answers which may be useful to others as well as to myself. Or, if it is indeed too broad, I can edit it to remove everything which does not relate to my specific situation; but that might make the question less useful to others, which is why I wrote it this way. – jpaugh Jun 07 '17 at 16:40
  • At its core SO is still a Q&A site, and questions like this will result in a ton of answers, most of which will be incomplete, and none which will be "acceptable". That then means that the question remains in unanswered purgatory forever. This might be something worth while to add to the Documentation site, but it doesn't belong here, regardless of it's potential usefulness. This just isn't the right format. – Chris Pratt Jun 07 '17 at 16:56

1 Answers1

0

Here are the places I checked. This didn't help me, but it might help someone else.

  • Web.config. (The following entries are in XPath notation)

    • /system.webServer/httpProtocol/customHeaders

      Look for lines like <add name="header-name" value="header-value" />

    • /system.webServer/modules (Middleware modules)

      Remove any suspect middleware modules temporarily, or step through their OnResponse code, looking at the sender.Response.Headers to see when (or if) the unwanted header is added.

  • Machine config (source): I looked for the same options as for Web.config, as well as searching for the header name and for any relevant modules. I checked both the 32-bit and 64-bit versions:

    • 32-bit: %windir%\Microsoft.NET\Framework\[version]\config\machine.config
    • 64-bit: %windir%\Microsoft.NET\Framework64\[version]\config\machine.config

  • Code

    • Controller annotations

      While poking around the code, I found an annotation like this:

      [AddHttpResponseHeaderCustomFilter("X-Frame-Options", "DENY")]

    • Global.asax.cs: Look for anything which adds a header.

    • Solution-wide search: I tried searching for any occurrence of the following: X-Frame-Options, Frame-Options (case insensitive), frame (case insensitive, whole word only
  • IIS Manager
    • Checked the HTTP Response Headers for each of the following levels of hierarchy:
      HTTP Response Headers Icon
    • Machine (top-level)
    • Site (Default Web Site)
    • Application
    • Each folder under the application, drilling down to my controller's containing folder. (For most MVC apps, that would be a top-level folder named Controllers, but it could also be Area\AreaName\Controllers.)

jpaugh
  • 6,634
  • 4
  • 38
  • 90