I want to hide some sensitive information from header response. I use rewrite module in IIS 8.5 , i hide the information from Server response ,but for the other headers the response has twice this headers, once with the information(we don't want that) and second without this. We want to keep only the second one. For some reason although the URL re-writing seems to work fine, the original header (and value) are also included to the response. I have this configuration.
<httpProtocol>
<customHeaders>
<clear />
<add name="X-Frame-Options" value="some value" />
<add name="X-UA-Compatible" value="some value" />
<add name="Content-Security-Policy" value="some value" />
</customHeaders>
</httpProtocol>
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Hide Server header">
<match serverVariable="RESPONSE_Server" pattern="(.*)" />
<action type="Rewrite" value="" />
</rule>
<rule name="Hide X-UA-Compatible header">
<match serverVariable="RESPONSE_X-UA-Compatible" pattern="(.*)" />
<action type="Rewrite" value="" />
</rule>
<rule name="Hide X-Frame-Options header">
<match serverVariable="RESPONSE_X-Frame-Options" pattern="(.*)" />
<action type="Rewrite" value="" />
</rule>
<rule name="Hide Content-Security-Policy header">
<match serverVariable="RESPONSE_Content-Security-Policy" pattern="(.*)" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
and the result is :
I resolved the problem.
I had to change the value of rewriteBeforeCache
from true
to false
.