Disable HTTP OPTIONS TRACE HEAD COPY and UNLOCK methods in IIS

Question

For security reasons I want to disable those methods through application level so I have this web config file   lt configuration gt       lt location path  quot index php quot  gt       lt system webServer gt                   lt directoryBrowse enabled  quot false quot    gt       lt  system webServer gt        lt system web gt           lt authorization gt               lt deny verbs  quot OPTIONS quot  users  quot   quot    gt               lt deny verbs  quot TRACE quot  users  quot   quot    gt               lt deny verbs  quot HEAD quot  users  quot   quot    gt               lt deny verbs  quot PROPFIND quot  users  quot   quot    gt               lt deny verbs  quot COPY quot  users  quot   quot    gt               lt deny verbs  quot LOCK quot  users  quot   quot    gt               lt deny verbs  quot UNLOCK quot  users  quot   quot    gt               lt deny verbs  quot PROPPATCH quot  users  quot   quot    gt               lt deny verbs  quot MKCOL quot  users  quot   quot    gt               lt deny verbs  quot MOVE quot  users  quot   quot    gt               lt deny verbs  quot DELETE quot  users  quot   quot    gt           lt  authorization gt       lt  system web gt      lt  location gt   lt  configuration gt   But this didn t work - any ideas

User · Answer

This worked for me but only after forcing the specific verbs to be handled by the default handler.

<system.web>
...
  <httpHandlers>
  ... 
    <add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>

You still use the same configuration as you have above, but also force the verbs to be handled with the default handler and validated. Source: http://forums.asp.net/t/1311323.aspx

An easy way to test is just to deny GET and see if your site loads.

User · Answer

This one disables all bogus verbs and only allows GET and POST   lt system webServer gt     lt security gt       lt requestFiltering gt         lt verbs allowUnlisted  false  gt       lt clear  gt       lt add verb  GET  allowed  true   gt       lt add verb  POST  allowed  true   gt         lt  verbs gt       lt  requestFiltering gt     lt  security gt   lt  system webServer gt

User · Answer

Finaly I found another answer for this problem  and this is working for me  Just add below datas to the your webconfig file     lt configuration gt    lt system webServer gt     lt security gt      lt requestFiltering gt       lt verbs allowUnlisted  true  gt        lt add verb  OPTIONS  allowed  false    gt       lt  verbs gt      lt  requestFiltering gt     lt  security gt    lt  system webServer gt   lt  configuration gt    Form more information  you can visit this web site  http   www iis net learn manage configuring-security use-request-filtering  if you want to test your web site  is it working or not    You can use  HttpRequester  mozilla firefox plugin  for this plugin  https   addons mozilla org En-us firefox addon httprequester

User · Answer

For anyone looking for a UI option using IIS Manager    Open the Website in IIS Manager Go To Request Filtering and open the Request Filtering Window  Go to Verbs Tab and Add HTTP Verbs to  Allow Verb     or  Deny Verb      This allow to add the HTTP Verbs in the   Deny Verb    Collection    Request Filtering Window in IIS Manager   Add Verb    or Deny Verb

[iis] Disable HTTP OPTIONS, TRACE, HEAD, COPY and UNLOCK methods in IIS

Examples related to iis

Examples related to web-config