- Content Types
- Headless Development Guide
- Best Practices
- Technical Documentation and Processes
-
Stack Overflow
- How can I notify others about a question?
- Will public Stack Overflow users be able to see my Team?
- What are the best practices for tagging?
- What integrations are enabled on our Team?
- What kind of questions can I ask here?
- Is there a syntax highlighter for eZ Publish legacy?
- What's the minimum PHP version required for eZ Publish?
- Do we have a server naming strategy?
- How do I remove information-leaking headers in IIS?
- How do I safely restart apache on ubuntu after changing configuration?
- For lamp site Vagrant boxes, can I speed up a reprovision if provision fails and I made a change?
- Where can I find / discuss Blend's developer best practices?
- I have SSH access to a production/QA LAMP site, but I need to examine raw solr documents. How do I do it?
- How do I set Octopus Deploy to deploy my package automatically once Jenkins builds it?
- How do I find the IP address of a host or domain?
- How can I view a server using a different domain? (add an entry to my hosts file)
- How do I allow clients to make site redirects in Drupal?
- What version of Symfony should I choose?
- Is there a naming strategy for new projects?
- What belongs in the project README?
- How do I know who to assign my merge request to?
- Can custom services be autowired into another service in Symfony?
- Why can't I access the EC2 metadata URL on a Windows VM?
- I'm added a new feature that makes a network request, and it's working in dev. Why wont it work in QA / Prod?
- Someone discarded a draft in eZ Publish (4.x, 5.x, or legacy) and it's missing! How do I find it?
- How can I add a new https site to my local IIS?
- How do I setup a second site in episerver?
- How do I configure web.config to show descriptive errors?
- How do I import a .bacpac file into SQL with SSMS?
- In a LAMP project, what's the best way to get a prod-like database locally?
- How do you log things with NSSM
- How do I add a new club to the ClubCorp O.N.E. Benefits Finder?
- Where can I find a screen recording from a join.me call?
- Which static site generator should we use?
- How do I forward a call in the office directly to voicemail?
- Is there an actively updated list of integration and prod sites somewhere everyone can reference?
- Where is the Blend Accessibility site again?
- What Meta information do I need to support the common social media networks?
- How do I paste a copied timesheet entry in redmine?
- How do I add time to a project I'm not a part of?
- Is there a limit on uploading files to gitlab?
- How can I alias a git command?
- How do I figure out if Blend hosts a website?
- What belongs in a project Readme.md ? Do we have a boilerplate Readme.md or other file?
- How do I become the call organizer in Join.me?
- Is `ISynchronizedObjectInstanceCache` a distributed cache?
- Importing bacpac file that requires database authentication fails
- Why doesn't DropDownListFor select correct options in a for loop?
- How can I set up a context menu for a program on Windows (such as Sublime Merge)?
- Is there a way to test use the google geocode api for free during initial development?
- How do I make myself an operator in dialpad?
- How do I find a file that may have exited in a Git repo sometime in the past?
- How do I include a javascript library in my dojo module
- How do I test a site over VPN using CrossBrowserTesting?
- How can I use a CDN with fall back in Episerver?
- How do I create a rewrite rule in IIS?
- How can I use an SQL query to find where page types are used in episerver?
- How do you build an Octopus Nuget Package Manually
- How can I manually build an existing project using Jenkins?
- Fix matchHeights in Owl Carousel on browser resize
- How do I create an accordion or collapse in Redmine?
- How do I create linked text to an external URL in Redmine?
- How to delete references to deleted branches?
- What is module dependency order in EPiServer
- Why is my custom 404 handler always timing out?
- Can anyone create custom queries in redmine?
- How do I create a SQL user with access to create RDS backups?
- What are the naming conventions for QA servers?
- Url in Property list not saving
- How to fix "At least one object must implement IComparable." from Marketo after copying Episerver database?
- How can I clear the 'History' tab of an episerver scheduled job?
- How do I clone a gitlab project over https, now that gitlab requires 2fa?
- I get an error in Jenkins about "${BUILD_DATETIMEVERSION_PATH}' is invalid", how do I fix it?
- How can I send a test email from Episerver?
- How to show help text in edit mode to editors in Epi
- Local episerver login just flashes
- How can I hide a page from episerver find without requiring a reindex
- How can I use symlinks with git on Windows?
- How do we add a redirect to a document in Wyam?
- How to get the correct link from `LinkItem.Href` in Episerver?
- Why is my custom Episerver login redirecting to the homepage?
- Should I use `UserName` or `Username` with `ApplicationUser` in Episerver?
- How can I port forward locally on windows?
- Why isn't Episerver logging errors?
- I can't update an element in Tiny MCE with a custom class via the styles_format dropdown
- Xs and Os, Nobody Knows (Code Challenge)
- Frequency Distribution (Code Challenge)
- Episerver Forms scroll to Validation Error
- Palindrome Descendant (Code Challenge)
- Single Letter Swaps (Code Challenge)
- Episerver is not returning the correct language
- Phone Decoder (Code Challenge)
- Mini Sudoku (Code Challenge)
- Convenience Store (Code Challenge)
- Odd Up, Even Down (Code Challenge)
- C-ns-r-d Str-ngs (Code Challenge)
- Empty Square Sequence (Code Challenge)
- Extract City Facts
- Is Johnny Making Progress? (Code Challenge)
- Building Forums in Episerver
- Create a Blog in Episerver
- Non solr search solution on Episerver
- Azure Active Directory Login on Episerver
- Block Usage Report
- Off canvas Menu sliding in and out of window
- Multi-Level Navigation
- Single-Click CTA block linked to content
- Styled numbered lists
- How to build a responsive forum
- Responsive carousel with image and text content
- Multi-select checkboxes in a dropdown
- Responsive Table
- Accessible Calendar
- How to shift page focus
- What are the common JavaScript Frameworks we use?
- What are some of the common plugins we use?
- How do we use the YouTube API
- How do I add highlighting to Solr Suggester results?
- How do I create a gulpfile?
- What are some hidden red flags to look for when doing code review?
- How do I treat compiled files in an episerver project?
- How to set up a hook for Jenkins build
- Unmix My Strings (Code Challenge)
- Reverse Coding Challenge #4 (Code Challenge)
- When working with a CMS, which template should classes for container vs item be in?
- Array of Multiples (Code Challenge)
- What are some topics to discuss during pair programming down time?
- How do I configure sentry for a new project?
- Broken Keyboard (Code Challenge)
- How do I convert an Episerver project to using Identity
- How do I set up a new site using Episerver Foundation?
- How can I safely undo a commit?
- Filter Primes (Code Challenge)
- How do you offset an anchor link so it is positioned below a fixed header?
- Reversing a binary string (Code Challenge)
- Filter Strings from an Array (Code Challenge)
- How can I shrink my database files?
- Word Nest (Code Challenge)
- How do I work with Templates, and partials in Episerver?
- How do I set up gulp for a new project
- Bob Estimation Tool (Code Challenge)
- How can I automate the Episerver upgrade process?
- What is Variance and how do I ~deal~ work with it?
- Whats the best way to handle Google Server ownership in Episerver?
- How do I test sending emails on localhost using SMTP?
- How do I render TinyMce input without the surrounding paragraph tag?
- IContentRepository vs IContentLoader
- After upgrading my Umbraco site, the back-office doesnt load?
- How do I build a multicolumn block in episerver?
- How do I show the 404 page in the correct language in Episerver?
- The type 'ValueType' is defined in an assembly that is not referenced
- How do I use Display Tags in Episerver?
- Given a string of text, how can I find duplicate words separated by a comma?
- How can I manually generate the route segment for a page?
- Episerver Importers
- How do I move production robots.txt file into place on release build?
- How can I prevent blocks from bringing down an entire page in Episerver?
- How do I set up Netlify to deploy automatically through Azure DevOps?
- How do I allow an AppService to access a port on a VM in Azure?
- How do I use submodules with Azure DevOps when the submodules are in Gitlab?
- How do I set up an Umbraco site to deploy through Azure DevOps?
- How do I deploy a site to AWS through DevOps?
- How do I allow editors to Dynamically update caching for assets that are updated frequently
- What plugins do we commonly use on Episerver sites?
- What plugins do we commonly use for Front end?
- What plugins do we commonly use on Umbraco sites?
- How can I ensure clients don't get stale static assets when the site is behind a CDN?
- How do I make an RSS feed in Episerver?
- How do I get a production database for an Episerver DXP Client?
- How do I make a custom resource (e.g .aspx) available on a friendly URL in Episerver
- Typeahead/Suggestive search
- How can I make classes exclusive in TinyMCE?
- What's the best practice for adding a new site to your Episerver project?
- What steps do I after installing SQL Server?
- What do I need to do to render pages in Epi for the first time?
- How do I add a merge request template to my repo?
- How do I create a user on an Azure SQL database?
- How do you create an accessible card where the whole card is clickable?
- How do I make a block editable with on page editing?
- How do I use my site's local nuget source?
- How can I speed up Nuget package restore on Azure DevOps?
- How to create an episerver admin plugin?
- Azure/DXP ImageProcessor Config Transform
- I can't run npm packages globally on my windows machine
- How can I use one TinyMce config for all multisites?
- Why are some pages throwing a 500 error that I can't catch?
- How can I mirror repositories to other repositories
- How do you style all siblings on hover with just CSS?
- How do I convert a site to static files?
- Why isn't my RSS feed working?
- Clearing ImageProcessor Cache in Azure
- How do I highlight search results in Solr?
- How can I render a non SVG inline?
- How do I use the Auto Suggest Selection Attribute?
- How do I force Razor View Files to compile before it's too late?
- How do I test my config transforms?
- How do I get blobs for an Episerver/Optimizely DXP site?
- How can I preview DXP microsites during a deployment?
- How do I add Cache busting with .NET Projects?
- Editorial template control in Episerver? Also, what's `IDynamicTemplateContent`?
- How do I use Sovereign to reverse proxy a site in .NET MVC?
- How do you do Episerver upgrades?
- How do I determine which personalized blocks will be shown in a content area
- How do I add Sentry Javascript error monitoring
- How do I add robots.txt to Umbraco?
- What are Blend's Static IP addresses for VPNs and Firewall Whitelists?
- How can I see what claims are coming through with Identity authentication?
- How do I use LetsEncrypt with a custom domain on Azure App Service?
- How do I send a message with Blend Bot on Slack?
- How do I set up an ADFS integration?
- Where do I put project wide constants?
- How do I create simple middleware in .NET 5?
- How do I get a list of Blocks by type?
- How do I configure TinyMCE for Optimizely?
- How do I add an admin user with Opti 12?
- How do I work with the default Optimizely Content Renderer?
- How can I make a tag helper for images in .Net 5?
- How do I prevent log files from growing exponentially?
- What are known compatibility issues with running Optimizely on Linux?
- How can I debug Optimizely DXP sites?
- What does a client need to do in order to setup friendly names for DXP?
- How do I test if an Optimizely site can handle Read Only Deployments?
- How do you map custom virtual roles in Optimizely CMS 12?
- How do I add different inputs to the Optimizely CMS Editor?
- How can I find out what branches are on QA and not production?
- How do I apply Fetch HTML and apply it directly to the DOM?
- How do I add a maintenance page for CMS 12 DXP sites?
- What is a good starting point for handling responsive images?
- CMS 11 Reports with MVC
- How do I hide Categories on blocks in Optimizely CMS 12?
- How can I render a Razor View to a string (in full framework ASP.NET)?
- How do I backup / restore an RDS database instance on AWS?
- Optimizely CMS 12 Scheduled job is stuck
- How do I add a recaptcha form element, or other custom form element?
- How do I make tables better for editor in TinyMCE?
- How can I cache things in a robust way that doesn't cause page loda delays?
- Win32Exception: The certificate chain was issued by an authority that is not trusted
- How do I import a database to Azure SQL?
- How do I set up Gulp with caching?
- How do I make the description of a property always visible in Optimizely CMS 11?
- What are some Nuget package best practices? And how can I sign my Nuget package?
- Setting the Secure Cookie Attribute and HttpOnly flag on cookies
- How do I rewrite URLs in Dotnet 5+
- Why is my Nuget Feed not loading?
- What Optimizely CMS 12 upgrade advice do we have?
- How do I convert an AWS Secret Key to SES credentials?
- How do I set a Cache-Control on static assets? (dotnet 5+)
- How do I restrict a tab to a user group in Optimizely?
- How to increase File Upload Size limits for CMS 12
- How to fix "Unable to launch IIS Express Web Server" "Failed to register URL"
- How to send emails through SMTP with email account with Multi factor authentication (MFA)?
- What permissions do I need to setup for a standard Google maps implementation?
- How do I do multiline editing?
- How do we allow clients to transfer arbitrarily large files to us?
- How I can skip Optimizely authentication locally?
- Optimizely - Some editors can't login after CMS 12 upgrade
- How do I test if a cert is going to work on a Cloudfront (or other CDN) deployment?
- How do I declare a PropertyList property as being non-required?
- What is the best way to check if response headers have already been sent or the body has already been written to in .NET?
- How do I make a dropdown's values dependent on the selection of another dropdown in Optimizely CMS?
- How can I restrict access to a single or select few properties in Optimizely CMS 12?
- Solved Problems
How do I remove information-leaking headers in IIS?
- Page Owner: Not Set
- Last Reviewed: 2018-08-29
How do I remove sentitive headers, such as X-Powered-By and Server, in IIS? In other words, how do I make my web.config more secure? How do I prevent click-jacking?
Answer
The Server: header is put in automatically by IIS, but can be overwritten with an outgoing rewrite rule. In Web.config:
<rewrite>
<outboundRules>
<rule name="Remove RESPONSE_Server" >
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
The ASP.NET version header can also be removed in the Web.config. Add enableVersionHeader="false" to the httpRuntime element.
The MVC version header is most easily removed in in code. Add the following to your Application_Start in your Global.cs:
MvcHandler.DisableMvcResponseHeader = true;
The X-Powered-By header is an IIS default. It can be removed through the UI, or from the applicationHost.config IIS config file.
For example, you'd remove the <add ... /> line below:
<httpProtocol>
<customHeaders>
<clear />
<add name="X-Powered-By" value="ASP.NET" />
</customHeaders>
</httpProtocol>
It's also a good idea to add an X-Frame-Options: sameorigin header. This will prevent other sites from embedding your site as an iframe. This can be done in the Web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
Comments
- As a note for the last suggestion, the X-Frame-Options snippet has "DENY" in the value -- when you want to make sure to use "SAMEORIGIN". DENY will cause the episerver admin panel to not load.
- @TylerHecht I updated the snippet to be SAMEORIGIN instead.