Note: Running EPiServer CMS 7.13.0.0 with all the latest patches/updates installed.

If you're using MVC the right way to do it is

public ActionResult YourAction()
{
    // ...
    return Redirect("http://www.example.com");
}

Otherwise I guess you/a module already written som output to the page. Try to do an Response.End() instead of the redirect and see what shows up, maybe that could lead you in the right direction.

Yes I'm using MVC. 

I agree, return Redirect(...) is correct and that works fine. This action method was just to illustrate my problem - the error occurs for any Response.Redirect call. If I for instance try to access a certain page/file without proper access rights, this would internally cause an AccessDeniedHandler/delegate to do a Response.Redirect call, which again gives me this error. 

Something is causing http headers to be sent earlier in the pipeline, but it only happens with IIS/IIS Express, not in Cassini...

UPDATE:

It seems like the error only shows up when accessing static files. I can easily reproduce this problem in the AllowMVC project:

1. Login to the Allow site
2. Upload a file (.zip, .exe, ..anything with non-web-related extension)
3. Set read access rights on the file to only the Administrator group
4. Log out
5. Try to access the file with a direct url, in my case for instance: http://webdev:17000/globalassets/rewrite_2.0_rtw_x64.msi

You are correctly redirected to the Login-page, but your EPiServerErrors.log now contains the "HTTP headers already sent" error...

This appears to be a bug that was introduced in the 7.13 upgrade. We'll try and reproduce the issue on our end.

I couldn't reproduce this issue on 7.14.1 (and right now we're on 7.14.2). Perhaps updated to latest version will fix the issue. If not, additional feedback is welcome.

Ok! I will try to reproduce again with the latest version as soon as possible.

Sorry to say but the issue still remains after updating EPiServer. I'm now running the Allow sample site with the following versions:

EPiServer.CMS.Core  7.17.0, 

EPiServer.CMS.UI 7.16.0

EPiServer.CMS.UI.Core 7.16.0

EPiServer.Framework 7.17.0

I have uploaded a file, e.g. "EPiServerSearch.msi" to the Allow Meet folder. Set the Access Rights on the file to Administrators only. Logged out and then tried to access the file directly, in my case http://localhost:17000/globalassets/alloy-meet/episerversearch.msi. This correctly redirects me to the login prompt, but the EPiServerErrors.log now contains the following:

2014-11-19 13:50:09,389 [38] ERROR EPiServer.Global: 1.2.5 Unhandled exception in ASP.NET
System.Web.HttpException (0x80004005): Server cannot append header after HTTP headers have been sent.   at System.Web.HttpResponse.set_RedirectLocation(String value)   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
System.Web.HttpException (0x80004005): Server cannot append header after HTTP headers have been sent.   at System.Web.HttpResponse.set_RedirectLocation(String value)   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Debugged this today. The URL rewriting module is listening to redirects and tries to rewrite URLs (even when not needed it sets RedirectLocation to the same value as before which is part of the problem). What happens is that if you call Redirect(url, true) or just Redirec(url) then it flushes the buffers causing the error, calling Redirect(url, false) works better since the buffers are not flushed until the request completes.

The code have been there pretty much unchanged since EPiServer 5.x though I think what have changed is that the media system started triggered that kind of redirect in later version making the problem more visible.

But, should not affect anything since the headers are already sent to the client, just looks bad in the log, but we will fix it of course.

Bug #119272 Server cannot append header after HTTP headers have been sent

Aha, I understand. Thanks for explanation and the bug report! 

Yes, functionality is not affected so this is not a deal breaker. But you know, ugly error messages in the logs are not good for a developer's night sleep, and filtering out/muting those messages feels like cheating ;D