Some requests are not handled by IIS, but instead by http.sys. For example the path shown below:
❯ curl -sv http://localhost/..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5Cwindows%5C%5Cwin.ini > GET /..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5Cwindows%5C%5Cwin.ini HTTP/1.1> ....< HTTP/1.1 403 Forbidden< Server: Microsoft-HTTPAPI/2.0
Because IIS is not serving the request, the headers I configured in IIS (for example X-Content-Type-Options) arenot added to the response. Is there any way to get around this? I need to have the the response headers added to every response, no matter the response code and/or the path.