Response headers from http.sys

Question

User-805895682 posted

Some requests are not handled by IIS, but instead by http.sys. For example the path shown below:

❯ curl -sv http://localhost/..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5Cwindows%5C%5Cwin.ini 
> GET /..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5Cwindows%5C%5Cwin.ini HTTP/1.1
> ....
< HTTP/1.1 403 Forbidden
< Server: Microsoft-HTTPAPI/2.0

Because IIS is not serving the request, the headers I configured in IIS (for example X-Content-Type-Options) are not added to the response. Is there any way to get around this? I need to have the the response headers added to every response, no matter the response code and/or the path.

Answer 1

User1065476709 posted

Hi dc31xx,

Because IIS is not serving the request, the headers I configured in IIS (for example X-Content-Type-Options) are not added to the response. Is there any way to get around this? I need to have the the response headers added to every response, no matter the response code and/or the path.

How did you try to add iis headers to the response? As far as I know, you can add it by iis url rewrite.

https://www.iis.net/downloads/microsoft/url-rewrite

Best regards,

Sam

Answer 2

User-805895682 posted

How did you try to add iis headers to the response? As far as I know, you can add it by iis url rewrite.

Unfortnately that does not work for the path I mention in the example. The response will be handled by http.sys before the rewrite rule kicks in.

Answer 3

User1065476709 posted

Hi dc31xx,

Unfortnately that does not work for the path I mention in the example. The response will be handled by http.sys before the rewrite rule kicks in.

According to my search and test, this is impossible to do.

Best regards,

Sam