Viewing all Server Variables for a Site

I often do development, testing or troubleshooting where I want to see all server variables available to a site.  For example, when using a reverse proxy for load balancing, SERVER_ADDR, HTTP_HOST and other variables can change.

Whenever I run into that situation, I write out a simple script that displays all server variables.  I thought I would share it here.

Create a file on your server called serversvariables.aspx, test.aspx or whatever you want to call it.  Place the following in it:

<%
For Each var as String in Request.ServerVariables
  Response.Write(var & " " & Request(var) & "<br>")
Next
%>

Or if you prefer C#, use the following:

<% @ Page Language="C#" %>
<%
foreach (string var in Request.ServerVariables)
{
  Response.Write(var + " " + Request[var] + "<br>");
}
%>

Then simply call the page from a web browser and it will list all server variables. 

The top two variables are worth noting.  They are ALL_HTTP and ALL_RAW which contain all server variables and are repeated with the specific server variables.  Since they contain everything, they can clutter up the page.  You can wrap the Response.Write line in an ‘if’ condition to exclude ALL_HTTP and ALL_RAW if you want, but I find for a quick testing page, I don’t bother, and it gives me every server variable.

The output will look something like this:

{ALL_HTTP and ALL_RAW have been removed from this example.}
APPL_MD_PATH: /LM/W3SVC/2/ROOT
APPL_PHYSICAL_PATH: C:\domains\example.com\
AUTH_TYPE: Forms
AUTH_USER: Scott
AUTH_PASSWORD: 
LOGON_USER: Scott
REMOTE_USER: Scott
CERT_COOKIE: 
CERT_FLAGS: 
CERT_ISSUER: 
CERT_KEYSIZE: 
CERT_SECRETKEYSIZE: 
CERT_SERIALNUMBER: 
CERT_SERVER_ISSUER: 
CERT_SERVER_SUBJECT: 
CERT_SUBJECT: 
CONTENT_LENGTH: 0
CONTENT_TYPE: 
GATEWAY_INTERFACE: CGI/1.1
HTTPS: off
HTTPS_KEYSIZE: 
HTTPS_SECRETKEYSIZE: 
HTTPS_SERVER_ISSUER: 
HTTPS_SERVER_SUBJECT: 
INSTANCE_ID: 2
INSTANCE_META_PATH: /LM/W3SVC/2
LOCAL_ADDR: 206.72.119.72
PATH_INFO: /ServerVariables.aspx
PATH_TRANSLATED: C:\domains\example.com\ServerVariables.aspx
QUERY_STRING: 
REMOTE_ADDR: 192.168.168.29
REMOTE_HOST: 192.168.168.29
REMOTE_PORT: 60137
REQUEST_METHOD: GET
SCRIPT_NAME: /ServerVariables.aspx
SERVER_NAME: www.example.com
SERVER_PORT: 80
SERVER_PORT_SECURE: 0
SERVER_PROTOCOL: HTTP/1.1
SERVER_SOFTWARE: Microsoft-IIS/7.5
URL: /ServerVariables.aspx
HTTP_CACHE_CONTROL: max-age=0
HTTP_CONNECTION: Keep-Alive
HTTP_ACCEPT: application/xml,application/xhtml+xml,text/html;q=0.9...HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.3
HTTP_ACCEPT_ENCODING: gzip,deflate,sdch
HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8
HTTP_COOKIE: {removed}
HTTP_HOST: www.example.com
HTTP_MAX_FORWARDS: 10
HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) ...HTTP_X_ORIGINAL_HOST: www.example.com
HTTP_X_ORIGINAL_SERVER_PORT: 80
HTTP_X_ORIGINAL_URL: /ServerVariables.aspx
HTTP_X_FORWARDED_FOR: 192.168.168.29:60137
HTTP_X_ARR_LOG_ID: 3dc509e5-5da8-4b6b-91ee-f084c308e2ce
HTTP_X_SITE_INSTANCE: 01

Hope you find this useful. Happy coding / troubleshooting!

17 Comments

  • Thanks Elijah. Great link with further details for troubleshooting in ASP.NET.

  • Hi,

    I have already used this in Classic ASP.

    This is good for troubleshooting, but considering the Security Risk on Websites, keeping such file on Production environment would raise high level of risk.

    Would advice everyone to use this script wisely.

    Thanks,
    Kamlesh

  • Hey Kamlesh. Yes, this is not meant for end users to see. Usually there isn't "very" incriminating information in the server variables, but things like the site path give a potential attacker more information. This should be placed in a password protected folder to ensure limited access.

  • This is very useful, but I want to get INSTANCE_META_PATH for a precompiled site and that won't allow simply placing a aspx file on the server. I don't want to have to re-deploy everything. Is there any way to get IIS to give this directly?

  • GreenSands, sure. This is a bit dated but IIS7 shows the instance ID similar to IIS6: http://weblogs.asp.net/owscott/archive/2005/07/29/how-to-find-the-siteid-in-iis5-and-iis6.aspx.

    INSTANCE_META_PATH will be /LM/W3SVC/{site id}

    Also, you can add a page to a precompiled site if you want to temporarily view the server variables. It won't fight with the precompiled site.

  • This is very useful, but I want to get INSTANCE_META_PATH for a precompiled site and that won't allow simply placing a aspx file on the server. I don't want to have to re-deploy everything. Is there any way to get IIS to give this directly?

  • Edevre, I don't know of a way to do this. IIS is the engine that static or dynamic code runs off. It doesn't have a direct feedback mechanism. You would need to use a http handler or code of some sort to get that back.

  • How do you view Server Variables in a JavaScript loop? I'm having trouble interlacing my ASP with JavaScript.

  • Hi Wynn. The server variables don't change so you can statically assign them to the HTML itself. If you want them as a variable in the JavaScript logic then you can write them in a hidden field in the html and then call them from JavaScript. They won't change on each iteration of the loop since they are static so whatever it is the first time, it will remain.

  • I see the REMOTE_USER field in my case as empty on IIS7.5. This value has been set by my application through an authorization header.
    Any idea why this field is blank?

  • @A The REMOTE_USER is only there if you have an authenticated user. If you're using anonymous access then that value is blank and is whatever the anonymous user is for your site.

  • @Billy, the way to do that is by setting the mime types. Search the internet for mime types of Office in IIS. This appears to be a good list: http://www.bram.us/2007/05/25/office-2007-mime-types-for-iis/

  • If you dont want your server variable value to be replaced by query string or form post variables of the same name you need to use Response.Write(var + " " + Request.ServerVariables[var] + "
    ");

  • Thanks Brett for pointing that out. If you do have form or query string variables with the same name as the server variables then you can be more specific to ensure that you're calling just the server variables.

  • i have used the same in Classic ASP

  • Good stuff, I'm a bit late to the party, but I cannot get the custom server variables to be returned. My Http_X_fubar variable is not returned by this file. Thanks for anything on 2008 R2 that would stop this from happening. The same rule works on win7 machine.

  • Hi AndyB,

    That script should get everything that is available at the page level in ASP.NET (or classic ASP). However, it won't get some rare variables which are available in ARR or at another level of the pipeline but that aren't also at the page level.

    Also, if you add HTT_X_fubar to the outgoing request then it won't show up yet on the incoming request. My guess is that it's something like that that is preventing it from being seen. It's probably an order of operations in terms of when it's available.

Comments have been disabled for this content.