I want to hide my Web Server and Operating System from Wappalyzer
I removed x-power-by but nothing happens
If you want to hide your technology like asp.net, please just remove response header X-POWERED-By
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
If you want to hide your web server, please download URL rewrite extension and set outbound rule like this:
<outboundRules>
<rule name="response" enabled="true">
<match serverVariable="RESPONSE_SERVER" pattern="(.*)" />
<action type="Rewrite" />
</rule>
</outboundRules>
Remember that Wappalyzer will cache the information. So when you finish setting these configurations, please remember to clean browser cache.
I do it like that in the web.config file:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By"/>
<add name="X-Powered-By" value="Write what you want to show here"/>
</customHeaders>
</httpProtocol>
Related
So as part of the payment process in my site, I have to visit an ExternalURL to validate certain fields and as a result of the Validation completion, I will be getting a POST back to my Action Method with some response variables. The problem that I am facing is that the cookies fail to persist even though I have tried out the following Steps.
Have already explicitly assigned the SameSite Flag for the cookie to be Lax.
Have already made some changes to the Web.config that I will be including below.
Part of the Web.config that I modified.
<system.web>
<authentication mode="None">
<forms cookieSameSite="Lax" requireSSL="false" />
</authentication>
<compilation debug="true" targetFramework="4.7.2" />
<httpRuntime targetFramework="4.7.2" executionTimeout="500" />
<!-- Added this line for restoring Cookie values after the redirect to an external URI. -->
<httpCookies requireSSL="true" />
<sessionState cookieSameSite="None" cookieless="false" timeout="360" />
</system.web>
<system.web.extensions>
<scripting>
<webServices>
<jsonSerialization maxJsonLength="2147483647" />
</webServices>
<scriptResourceHandler enableCaching="false" enableCompression="false" />
</scripting>
</system.web.extensions>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
<!--<rewrite>
<outboundRules>
<clear />
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=lax" />
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=lax" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>-->
</system.webServer>
The method from where we call the External URL has this piece of code.
HttpCookie ckpaymentTRID = new HttpCookie("PaResTransactionID");
ckpaymentTRID.Value = resultPaymentObj.TransactionID.ToString();
ckpaymentTRID.SameSite = System.Web.SameSiteMode.Lax;
ckpaymentTRID.Secure = true;
HttpContext.Response.Cookies.Add(ckpaymentTRID);
The method where I receive the POST from the External URL consists of this
var SomeCookiee = HttpContext.Request.Cookies["PaResTransactionID"];
Also, I have browsed through this article here and am aware of the changes pre and post the .NET framework update.
Thanks in advance for the help!!!
Turns all the web.config setting changes were inconsequential as the remaining were actually enough to make the cut. Here is actually how I got a hint about how to solve this issue :
As I was being redirected from my application to the External-URL.....in Google Chrome, under dev tools you get to see the cookies that have been passed... I was always getting a warning saying that "since your cookie is not a secure cookie, chrome by default changes the SameSite setting from None to Lax and so your cookie doesn't persist throughout the request at all.".....which then prompted me to change the web application settings to run as https://localhost rather than http://localhost in VS2019. Once I did that, I saw that I no more needed the explicit HttpCookie or sessionState settings to be modified or in fact placed at all in the web.config and the Cookie value persisted in spite of the External Domain Re-Direction.
I'm trying to disable the "Vary" header via web.config and I've tried the following with no success:
Setting #1
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="Vary" />
</customHeaders>
</httpProtocol>
</system.webServer>
Setting #2
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Vary Header">
<match serverVariable="RESPONSE_Vary" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
Neither setting works, I'm curious as to what I am doing wrong?
I figured out the answer to this question. IIS overwrites the "Vary" header if compression is enabled, so implementing the following into your web.config will prevent IIS from overwriting your rewrite rules:
<system.webServer>
<urlCompression doStaticCompression="false" doDynamicCompression="false"/>
</system.webServer>
The only problem that you will run into will be trying to disable compression if it is already being used in the web.config. If devs are using compression, you will need to work with them to remove it.
I've been going crazy about this. I have Wordpress 4.6 on a IIS 7.5 Server, I am using the latest versions of the Divi template and builder by elegant themes but the builder won't work as my hosting server is blocking Cross origin Requests. The team in ElegantThemes has not been able to help me figure out the solution.
Error message I get is:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://tigerflow.com/Tigerflow/wp-admin/admin-ajax.php. (Reason: CORS header 'Access-Control-Allow-Origin' missing).
I have enabled headers through the web.config file and through the IIS Server Manager. My web.config is looking like this right now:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type"/>
<add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS"/>
</customHeaders>
</httpProtocol>
<rewrite>
<rules>
<rule name="wordpress" patternSyntax="Wildcard">
<match url="*"/>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true"/>
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true"/>
</conditions>
<action type="Rewrite" url="index.php"/>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
I found Zehra's solution to another question about including some lines in the global.asax but I'm not sure where to look for that. Could anyone guide me? Feel free to visit the website at www.tigerflow.com
EDIT: Alin's response has been the nearest I've come to (partially) fixing my issue... when I login to the admin using www prefix I have the CORS problem... but login in directly seems to link the API correctly and everything works smoothly.
I'd like to set a request header (HTTP_HOST to be precise) from Web.config, using the IIS URL Rewrite module, on Azure Websites. Basically I'd like to have something like this in my site's Web.config:
<system.webServer>
<rules>
<clear />
<rule name="My rule" enabled="true">
<match url=".*" />
<serverVariables>
<set name="HTTP_HOST" value="my value" />
</serverVariables>
<action type="None" />
</rule>
This results in an error that HTTP_HOST is not allowed to be set. This is normal and with standard IIS the next step would be to add HTTP_HOST to the <allowedServerVariables> element to applicationhost.config directly or through AppCmd. However I couldn't find any hints on being able to access this config somehow.
Is it possible to somehow modify the apphost config, or add allowed server variables somehow else?
It is possible to alter Azure's ApplicationHost.config by applying xdt transformations.
Upload the file to the /site and restart your site for the changes to to take effect:
ApplicationHost.xdt
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<rewrite>
<allowedServerVariables>
<add name="HTTP_HOST" xdt:Transform="Insert" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
See also:
https://github.com/projectkudu/kudu/wiki/Xdt-transform-samples
http://azure.microsoft.com/nl-nl/documentation/articles/web-sites-transform-extend/
Expanding on Joris' answer, you should use xdt:Transform="InsertIfMissing" and xdt:Locator="Match(name)" otherwise it won't work the way you expect it to (here's an example of it not working as-expected, and another example).
So your applicationHost.xdt should look like this:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<rewrite>
<allowedServerVariables>
<add name="HTTP_HOST" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
Hope you all are spending a great time in this forum. Today I joined this forum and come with a problem. My problem is that...
Recently i created a website and when I create its pages then 1 page name is misspell. Now I want to redirect this page to real page name. I am using this code:
<system.web>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"></modules>
<httpHandlers>
<add verb="*" path="misspell url " type="UrlRedirection" validate="false" />
</httpHandlers>
</system.web>
This code is fine in local server but when I upload this code on server its show 500 internal server error.
Points:
• We used godaddy hosting , IIS 7 .
Need help!
Thanks in Advanced.
Good news, you are using IIS7 and your GoDaddy hosting supports the UrlRewrite module:
http://support.godaddy.com/help/article/5443/microsoft-url-rewrite-module
This means you do the following:
Delete the <httpHandler> <add /> that you have set up.
Find <system.webServer> in your web.config
Paste this in between the start and close tags:
Code:
<rewrite>
<rewriteMaps>
<rewriteMap name="StaticRewrites" defaultValue="">
<add key="/oldurl.aspx" value="/newurl.aspx" />
</rewriteMap>
</rewriteMaps>
<rules>
<rule name="RewriteMap Rule">
<match url=".*" />
<conditions>
<add input="{StaticRewrites:{REQUEST_URI}}" pattern="(.+)" />
</conditions>
<action type="Redirect" url="{C:1}" />
</rule>
</rules>
</rewrite>
You can add as many of these rows as you like if you want to redirect several pages:
<add key="/oldurl.aspx" value="/newurl.aspx" />
I just double checked this on my server and it produces a 301 redirect (which is a permanent, seo friendly redirect).