I want to disable x-frame-options in my website, I want that no other website can show my webpages in their web pages using iframes. My website is made in ASP.net MVC3 and hosted in IIS 7.5.
There are a bunch of ways to go about this. But one of the easiest is adding <customHeaders> section to the web.config and it will append that header to each request.
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Related
My application is ASP.NET 4.5 Website : https://www.monstermmorpg.com/
I serve all the static content from a static domain https://static.monstermmorpg.com
However cookies are still getting attached such as
cookie: _ga=GA1.2.xxx;
_gid=GA1.2.xxxx;
_gat_gtag_UA_xx_4=1;
__qca=P0-xxx; __gads=ID=a4xxx:T=1xxx3:RT=16xxx3:S=x
This is the web config of the static IIS folder
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<sessionState mode="Off" />
</system.web>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".webmanifest" mimeType="application/manifest+json" />
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" />
</staticContent>
<httpProtocol allowKeepAlive="true" />
</system.webServer>
</configuration>
OS : Windows server 2019
Many times as we develop a site we have left cookies on our browsers that no longer used from our program - but they are still there from previous sessions.
Your cookies looks and are from google ads and statistics - so its not from IIS, not from you.
I suggest to clear the cookies from your site and test again, or how you do it with the use of a private session, or with some other browser.
I check your site and see no cookies on the static. url.
I have the following tags set in my MVC web application.
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
</system.webServer>
In this web application, i also have few web APIs. After this is set, when i inspect the calls in fiddler, the new custom headers show up in response headers for only few calls. Few calls do not have this custom headers set up. It is random. Why is not being set to ALL the traffic in my web application? any help is appreciated
I checked some other solutions on StackOverflow and did not find the answer I am needing so I am asking this.
I have a site 'subdomain.myexamplesite.com' and my main website 'myexamplesite.com'.
I am hosting my CSS on 'myexamplesite.com' for the 'subdomain.myexamplesite.com' because I wanted to have all the CSS files in one place.
I don't have any issues with cross domain issues doing the hosting of the CSS files this way. Everything renders great.
The issue I have now is, I am using an #font-face and trying to get that to my subdomain site. But I am getting a cross domain error:
Font from origin 'https://www.myexamplesite.com' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://subdomain.myexamplesite.com' is therefore not allowed access.
The main website is a .Net website (Umbraco CMS to be exact) hosting on an IIS server. The other site is a different .Net site but still is hosted on IIS.
Since it is IIS, I don't think .htaccess file applies in my case.
I have a crossdomain.xml on my main website to allow access from my subdomain just to be sure. But that does not work.
I am referencing the font file correctly in the CSS for my subdomain site otherwise I don't think I would be getting the Font cross domain error.
Does anyone have any suggestions if it is possible to host fonts on my main domain and allow the sub domain site to use those same fonts.
Any ideas?
For a font file you need to set Access-Control-Allow-Origin http header.
To set it on all files add this to the web.config
<httpProtocol>
<customHeaders>
<remove name="Cache-Control" />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
</customHeaders>
</httpProtocol>
Or more specific add something like this to the web.config below the <system.webServer> and set the location path to your font file.
<location path="static/fonts/source-sans-pro-regular.ttf" inheritInChildApplications="false">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
See cross-domain-fonts
and 59378-Centralized-Umbraco-7-Dashboards-Access-Control-Allow-Origin
and access-control-allow-origin-multiple-origin-domains
and font-face-fonts-only-work-on-their-own-domain
I have 2 websites hosted on windows server 2012. One website is using asp.net while other is wordpress. I want to embed asp.net page in wordpress. But, it is not showing anything. I did some research and came to know that perhaps, I have to allow permission for external website. Please guide me how to do it, should I add anything in web.config? I added below in asp.net but it did not help
<head>
<meta http-equiv="X-Frame-Options" content="allow">
</head>
Please guide, how to allow external website in iframe?
The iframe looks like below:
[iframe mydomain.com/signIn.aspx 640px 400px]
Thanks
You can do it in your web.config (if hosted on IIS 7.0 or later):
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Frame-Options" /> <!-- optional -->
<add name="X-Frame-Options" value="ALLOW" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
This must be added in the application being "framed" (in your case an asp.net app), not in the parent app (wordpress).
Reference: https://www.iis.net/configreference/system.webserver/httpprotocol
I know there are related posts here on this forum and another resources but I got stuck with this and couldn't proceed. Problem is I've done a website with VS2010 when I publish it to a FTP server and navigate to the url address I got an error.
Here are the things that I've done:
I've enabled IIS services and static content
I've revert to parent the staticFile under handler mappings
I've registered the asp.net again in command prompt(the regiis.exe thing)
In IIS manager i've added my website adress under sites, stopped default web site and started mine.
I've added my site to classic.NET AppPool(integrated,and v4.0)
I've enabled the default browsing..
I've done all the advices that generally covered..
Here is my web.config:
<configuration>
<system.webServer>
<directoryBrowse enabled="true" showFlags="Date, Time, Size, Extension" />
<defaultDocument>
<files>
<add value="AnaSayfa.aspx" />
</files>
</defaultDocument>
</system.webServer>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
</configuration>
Where am I making a mistake?
The following post has some answers to this same question.
How do I fix 404.17 error on Win Server 2k8 and IIS7
Hope that helps.
EDIT: I see you've tried most of these...Sorry.