Commonly Flagged PCI DSS HTTP Response Headers

Below are some common PCI DSS flagged HTTP response headers and how to easily fix them using IIS and the URL Rewrite module.

NOTE: The options above have different allowable values. The values provided are the most common or defaults. Choose the values that best meet your requirements.

While doing routine WordPress updates I came across this error:

cURL error 18: transfer closed with X bytes remaining to read

After some investigation I found that my hosting server was unable to download files. Much of the advice I found suggests issues with cURL, PHP, or WordPress. If possible I advise checking the host server first. Verify that it can download the update file.

While updating a WordPress site hosted on a Windows platform (Internet Information Server); I came across this error:

The update cannot be installed because we will be unable to copy some files. This is usually due to inconsistent file permissions.: wp-admin/includes/update-core.php

I confirmed the Application pool identity for the site had the appropriate permissions. After some reading related to the same error on an Apache web server I found the issue possibly due to the Read Only flag on some files or folders within the WordPress install folder.

I used the Windows property manager to ensure the Read Only flag for all files is UNCHECKED:

Cascade the setting to subfolders and files:

One of the ColdFusion 2016 servers that I’m responsible for managing suddenly stopped working after a simple reboot.

The hosting environment is Windows based and I found that the ColdFusion Application Server service would not start.

There were several Windows Event Log exceptions:

The ColdFusion 2016 Application Server service terminated with the following service-specific error: 
The system cannot find the file specified.
The ColdFusion 2016 Application Server service could not be started.
Check the server "cfusion" log files for more information.
Faulting application name: coldfusion.exe, version: 2016.0.0.0, time stamp: 0x56c57b78
Faulting module name: coldfusion.exe, version: 2016.0.0.0, time stamp: 0x56c57b78
Exception code: 0xc0000005
Fault offset: 0x0000000000003770
Faulting process id: 0x15b8
Faulting application start time: 0x01d39b7e57454b68
Faulting application path: L:\ColdFusion2016\cfusion\bin\coldfusion.exe
Faulting module path: L:\ColdFusion2016\cfusion\bin\coldfusion.exe
Report Id: bc57f2d2-201b-4249-976c-9d21dd338af8
Faulting package full name: 
Faulting package-relative application ID:

Since the ColdFusion files were still in the same location and the permissions had not changed I was a bit puzzled.

The CFUSION logs did not have any useful information.The service startup was failing before getting to a point that the error could be logged by ColdFusion.

This was my first clue that the issue was related to the JVM.

I found the path that ColdFusion is configured to use in

{CFUSION Install}\cfusion\bin\jvm.config

The configured JRE had been removed at some point.

It was likely removed by someone running the Java upgrade tool.

Resolved the problem by changing the configured JVM path to an installed/updated JVM

While setting up my first ColdFusion 2016 server I came across an interesting problem with RDS.

My problem was that I could not get RDS to connect via ColdFusion Builder 3.

The error when I would attempt a test connection:

Unable to contact RDS Server "[Remote Server]". This can be caused by incorrect configuration on either the client or the server.

Please verify your connection details below or check your servers documentation on how to enable RDS for your server.

The HTTP request to talk to your server returned with the following message:
Error executing RDS command. Status Code: 404, Reason : Not Found

First I made sure RDS was enabled via the ColdFusion Administrator.Having had some previous experience with RDS troubleshooting I knew that ColdFusion Builder made HTTP calls to /cfide/ folder on the server.  I reviewed the web connector configuration file (%CFUSION%\config\wsconfig\1\ for my default site and found this entry:


Removing the “!” and running an IISReset command instantly enabled the RDS connection.

In order to continue to secure the ColdFusion Administrator folders I added these entries to the file:

!/CFIDE/administrator/* = cfusion
!/CFIDE/adminapi/* = cfusion

Some things to remember when troubleshooting RDS:

Ran into another issue (caused by me) with the IIS URL Rewrite module and ColdFusion.

A couple of our client applications utilize a REST API written in ColdFusion. It does not use the newly released built-in API in Coldfusion 2016. The REST url’s are made possible by using the IIS URL Rewrite module. The module takes the rest API and then passes it to the ColdFusion API handler

<action type="Rewrite" url="/api/v1/api.cfm?resource={REQUEST_URI}" />

The custom API handler then parses the URL, FORM variables, and several other HTTP elements to process the request.

I noticed that when calling the API all but the FIRST URL variable was doubled.



In this case the variable anotherurlvariable would come across to ColdFusion with a value of “test,test”.

The solution was pretty simple. I failed to use the URL Rewrite modules URLEncode function to correctly encode the URL (in my case resource) being passed to ColdFusion.

Updated URL Rewrite key (in web.config):

<action type="Rewrite" url="/api/v1/api.cfm?resource={UrlEncode:{REQUEST_URI}}" />

Attempting to get PHP 5.6 running on Windows Server 2012 (IIS 8) I started receiving generic 500 errors.

I enabled Failed Request tracing and reviewed the trace.

The trace revealed this error:

ModuleName FastCgiModule
ErrorCode The extended attributes are inconsistent. (0xff)

The problem was a missing Visual C++ runtime.

Ensure the appropriate VC++ runtime is installed for the version of PHP running.

In this case I needed the VC++ 11 runtime.

While creating a new ColdFusion server I attempted to change the Windows Service account to a domain service account. I’ve done this on almost every ColdFusion server I’ve ever setup because they typically need access to network resources and it makes it easy to manage the application rights.

This time however I was unable to do so. I received a generic error from the service manager:

The Coldfusion Service on local computer started and then stopped.  
Some services stop automatically if they are not in use by other services or programs

The ColdFusion server logs were not very helpful. They showed the server starting and stopping (just as the service manager error stated). I found this in the Windows Application Event Log:

Win32 API routinue "CreateEvent" failed: Access is denied.

Researching this error did not turn up any ColdFusion specific results, however I kept seeing references to the issue being present in other “Java Server” based software.

All the fixes listed for the the Java server software suggested installing the software “As Administrator”

I usually do this when installing any software, but failed to do so this time.

After uninstalling, then reinstalling with elevated permissions (As Administrator) I was able to get the service account change the ColdFusion service running steady.

Still not sure WHY this prevents the service account from being changed.

Ran across an interesting problem. While setting up a new Windows 2008 R2 erver and website on IIS; I noticed that the site was generating 500 errors when serving static files (images, css, html, etc.)

I turned on Failed Request Tracing and noticed that I was getting this logged

This configuration section cannot be used at this path. 
This happens when the section is locked at a parent level. 
Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

Based simply on previous experience I went to the IIS Feature Delegation and reviewed the delegation for the various IIS modules.

I found that by setting Handler Mappings to Read/Write the error was resolved.

I’m still not sure why this causes a problem since I’m not defining any custom handlers at the site level.

Perhaps this setting must be read/write even when custom handlers are set at the server level?

While trying to automate the creation of new IIS websites using PowerShell I needed a script to create IIS virtual directories with a specific login (i.e. Connect As)

After several hours of searching and trying various solutions I finally arrived at this:

$sitename = "My Website Name"
$virtualdirectory = "virtual1"
$virtualdirectorypath = "C:\My Virtual Path"
$username = "username1"
$password = "password1"

New-WebVirtualDirectory -Site $sitename -Name $virtualdirectory -PhysicalPath $virtualdirectorypath 

Set-WebConfigurationProperty "system.applicationHost/sites/site[@name='$sitename']/application[@path='/']/virtualDirectory[@path='$virtualdirectory']" -name userName -value $username

Set-WebConfigurationProperty "system.applicationHost/sites/site[@name='$sitename']/application[@path='/']/virtualDirectory[@path='$virtualdirectory']" -name password -value $password

I tried several path alternatives, however the XPath queries listed in the snippet are the only iteration that worked.

Hope this saves someone else a little time.

about me

An information technology professional with twenty four years experience in systems administration, computer programming, requirements gathering, customer service, and technical support.