IIS Removing nosniff header for images

Question

I have an API that return me images, like:

/api/products/images/233 -> This will return me an 233.jpg image

But my IIS has a rule to add the X-Content-Type-Options header to the requests for security, but that break the images on Internet Explorer, so I need a way to remove this rule when the endpoint /products/images/ is called or a way to add the header only if it's no that endpoint.

I tried to use this about Custom Headers

But it didn't work, I tried like this:

<system.webServer>
    <rewrite>
      <outboundRules>
        <rule name="Remove nosniff">
          <match serverVariable="RESPONSE_X_Content_Type_Options" pattern="/products/images/" />
          <action type="Rewrite" value="none"/>
        </rule>
      </outboundRules>
    </rewrite>
  </system.webServer>

But it didn't change anything, the images still having the "nosniff" header.

Am I missing some configuration? Or there is another way to do that?

Answer 1

Your match condition is checking if the header RESPONSE_X_Content_Type_Options contains the value /products/images/ instead of nosniff. You can use a Location block to restrict this rule to /products/images/, then use pattern="nosniff" to find the value nosniff

<configuration>
    ...
    <system.webServer/>
    ...
    <location path="products/images/">
        <system.webServer>
            <rewrite>
                <outboundRules>
                    <rule name="Remove nosniff">
                        <match serverVariable="RESPONSE_X_Content_Type_Options" pattern="nosniff" />
                        <action type="Rewrite" value="none"/>
                    </rule>
                </outboundRules>
            </rewrite>
        </system.webServer>
    </location>
</configuration>

See docs for element: https://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx