ASP.NET/IIS, When do <customHeaders> in the web.config get added to the page?

Question

At what point in the page lifecycle do customHeaders in the web.config get added to the page? One MSN reference showed headers being added to the response before the request got to the page handler. Why are none of the headers cleared since I can see headers being cleared in 2 places?

I can see in one of our page templates code behind in the OnInit override: Response.ClearHeaders(); Response.AppendHeader("Cache-Control", "no-store"); Response.ClearHeaders(); Response.AppendHeader("Cache-Control", "no-store");

The headers in the web.config

<customHeaders>
    <clear />
    <add name="X-XSS-Protection"...etc

The rendered page response headers have both "Cache-Control" and "X-XSS-Protection" as well as others. Since .NET code and web.config both clear the headers, I would expect one to clear the other, but that is not happening.

This is in IIS 7.5 in Classic mode if that makes a difference.

Answer 1

Custom headers are added as part of post-processing, when ASP.NET is done generating the response. So your ASP.NET code will not be able to remove the custom headers defined in web.config.

The clear element clears the configuration of the custom headers element-- it does not clear the headers from the response itself. It is a way of resetting the configuration if you have inherited configuration values (eg if there is a customHeaders element in machine.config and you wish to override it at the site level).