CORS on IIS6

IIS 6 CORS Limitations

IIS 6 has severe limitations that make it unsuitable for secure CORS implementations:

• Can only set static headers through GUI
• No dynamic origin validation
• No preflight OPTIONS request handling
• No per-path CORS configuration
• No support for credentials configuration
• No web.config support for custom headers

For secure CORS: These limitations make IIS 6 unsuitable for modern web applications requiring proper CORS security. Upgrade to IIS 7.5 or later.

IIS 6 Configuration (Legacy Systems Only)

If you are absolutely required to use IIS 6 for a legacy system, follow these minimal steps:

1. Open Internet Information Service (IIS) Manager
2. Right click the site you want to enable CORS for and go to Properties
3. Change to the HTTP Headers tab
4. In the Custom HTTP headers section, click Add
5. Enter Access-Control-Allow-Origin as the header name
6. Enter * as the header value
7. Click Ok twice

Additional Required Headers

Repeat the "Add" process to configure these headers:

• Header Name: Access-Control-Allow-Methods, Value: GET, POST, OPTIONS
• Header Name: Access-Control-Allow-Headers, Value: Content-Type, Authorization

Application-Level Workaround

For those stuck on IIS 6, implement CORS at the application level for better security:

ASP Classic

<%
' ASP Classic - Application-level CORS (IIS 6)
' Add this to the top of your ASP pages

Dim allowedOrigins, requestOrigin, i
allowedOrigins = Array("https://example.com", "https://app.example.com")
requestOrigin = Request.ServerVariables("HTTP_ORIGIN")

' Validate origin
For i = 0 To UBound(allowedOrigins)
    If requestOrigin = allowedOrigins(i) Then
        Response.AddHeader "Access-Control-Allow-Origin", requestOrigin
        Response.AddHeader "Vary", "Origin"
        Exit For
    End If
Next

' Handle preflight OPTIONS request
If Request.ServerVariables("REQUEST_METHOD") = "OPTIONS" Then
    Response.AddHeader "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"
    Response.AddHeader "Access-Control-Allow-Headers", "Content-Type, Authorization"
    Response.AddHeader "Access-Control-Max-Age", "86400"
    Response.Status = "204 No Content"
    Response.End
End If

' Your application code continues...
%>

Why IIS 6 Cannot Do Modern CORS

Technical Limitations

1. No Dynamic Headers: IIS 6 can only set static headers through GUI. Cannot validate request origin and respond with matching header.
2. No HTTP Verb Filtering: Cannot configure different headers for OPTIONS vs GET/POST requests.
3. Limited Configuration: No web.config support for custom headers, no modules/extensions for CORS.
4. No Wildcard Alternatives: Cannot implement secure multi-origin CORS through configuration alone.

Security Implications

• Forces use of wildcard * origin (insecure)
• Cannot support credentials properly
• Cannot scope CORS to specific paths
• Vulnerable to cache poisoning (no Vary header support in GUI)
• No protection against unauthorized cross-origin requests

Migration Path

Upgrade to IIS 7.5+ (Strongly Recommended)

Modern IIS versions provide:

• ✅ web.config-based CORS configuration
• ✅ IIS CORS Module for advanced scenarios
• ✅ Proper preflight handling
• ✅ Dynamic origin validation
• ✅ Credentials support
• ✅ Security updates and support

See IIS 7+ CORS documentation for modern IIS configuration.

Migration Checklist

1. Audit current IIS 6 usage
   • Document all sites and applications
   • Identify CORS requirements per application
2. Plan upgrade
   • Choose target platform (IIS 10 on Windows Server 2019+ recommended)
   • Test applications on new platform
   • Document breaking changes
3. Implement secure CORS
   • Use web.config or IIS CORS Module
   • Validate origins properly
   • Handle preflight requests
   • Test thoroughly
4. Decommission IIS 6
   • Migrate traffic to new servers
   • Archive old server
   • Update DNS/load balancers

Why You Must Upgrade

End-of-Life Status

• IIS 6 was released in 2003 (over 20 years old)
• Windows Server 2003 reached EOL in July 2015
• No security patches since 2015
• Known unpatched vulnerabilities exist

Compliance and Risk

• Fails PCI DSS compliance requirements
• Violates most security policies
• Exposes organization to legal liability
• Cannot meet modern security standards

Additional Resources

• Migrate to modern IIS
• IIS 6 End of Life Announcement
• Windows Server Information
• ASP.NET CORS Documentation