Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

IIS 7.0 - IIS adding "private" to cache-control, where is that coming from

Tags:

http-headers

iis-7

browser-cache

web-config

Because we protect .PDF files from anonymous users, we have a custom handler so we have an entry

We also made a change to the http headers to add "cache-control: no-cache,no-store" via IIS 7 management which creates web.config entries under system.webserver element as follows:

<httpProtocol>

  <customHeaders>
    <clear />
    <add name="cache-control" value="no-cache,no-store" />
  </customHeaders>

</httpProtocol>

When I review the Response headers in a burpsuite session, I see for .aspx pages: cache-control: no-store,no-cache,no-store

But for PDF pages:

Cache-Control: private,no-cache,no-store

My goal would be to get everything to just "no-cache, no-store". I am not sure what I am missing. There are no other cache settings in the web.config. Please advise on how to remove "private" from PDF pages and extra no-store from all else. Other static pages that go through the System.Web.StaticFileHandler, and they also have the "no-store,no-cache,no-store".

like image 933
Brian Edwards Avatar asked Oct 08 '22 10:10

Brian Edwards

1 Answers

Although this post is now a few years old, I thought I would share my solution that may save someone hours of head-scratching.

I have an MVC 4 site setup using IIS, and my aim was to have IIS add headers to certain files (defined by location), by using the <customHeaders> section. The 'cache-control' values I had in the <customHeaders> section were being appended to the end of 'cache-control: private', magically being added by IIS.

This was because of the runAllManagedModulesForAllRequests setting in my web.config being set to true

<system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
    </modules>
</system.webServer>

This setting was causing one of the IIS Modules (I don't know which) to append the 'cache-control' header to every file being requested from IIS.

So the solution is to set this to false, and manage each of your modules seperatley using the preCondition attribute on each.

The runAllManagedModulesForAllRequests setting was required by earlier versions of MVC because extensionless routing would not work without it. This has since been fixed, more details here

http://blogs.msdn.com/b/tmarq/archive/2010/04/01/asp-net-4-0-enables-routing-of-extensionless-urls-without-impacting-static-requests.aspx

Useful reading on the use of runAllManagedModulesForAllRequests

http://weblog.west-wind.com/posts/2012/Oct/25/Caveats-with-the-runAllManagedModulesForAllRequests-in-IIS-78

like image 67
Craig Avatar answered Oct 13 '22 09:10

Craig
Sign in to Comment

Related questions

How do I get more details on my request error on IIS7
GZip compression in IIS7 not working, but content-encoding header is set to gzip
Disable IIS7 URL Rewrite inheritance on a per site basis?
IIS7 refuses chunked-encoded file upload
Application Pool recycling results in very long response times
How to make static Html page go through HttpModule in IIS7.0?
ASP MVC.NET3 Local IIS7 object reference error
IIS 7.0 app pool recycling every minute

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!