SyntaxFix

[iis] Disable HTTP OPTIONS, TRACE, HEAD, COPY and UNLOCK methods in IIS

For security reasons I want to disable those methods through application level so I have this web.config file:

<configuration>
    <location path="index.php">
    <system.webServer>
                <directoryBrowse enabled="false" />
    </system.webServer>

    <system.web>
        <authorization>
            <deny verbs="OPTIONS" users="*" />
            <deny verbs="TRACE" users="*" />
            <deny verbs="HEAD" users="*" />
            <deny verbs="PROPFIND" users="*" />
            <deny verbs="COPY" users="*" />
            <deny verbs="LOCK" users="*" />
            <deny verbs="UNLOCK" users="*" />
            <deny verbs="PROPPATCH" users="*" />
            <deny verbs="MKCOL" users="*" />
            <deny verbs="MOVE" users="*" />
            <deny verbs="DELETE" users="*" />
        </authorization>
    </system.web>

  </location>
</configuration>

But this didn't work - any ideas?

This question is related to iis web-config

The answer is

Finaly I found another answer for this problem. and this is working for me. Just add below datas to the your webconfig file. 

<configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <verbs allowUnlisted="true">
     <add verb="OPTIONS" allowed="false" />
    </verbs>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>

Form more information, you can visit this web site: http://www.iis.net/learn/manage/configuring-security/use-request-filtering

if you want to test your web site, is it working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/

For anyone looking for a UI option using IIS Manager.

  1. Open the Website in IIS Manager
  2. Go To Request Filtering and open the Request Filtering Window.
  3. Go to Verbs Tab and Add HTTP Verbs to "Allow Verb..." or "Deny Verb...". This allow to add the HTTP Verbs in the "Deny Verb.." Collection.

Request Filtering Window in IIS Manager Request Filtering Window in IIS Manager

Add Verb... or Deny Verb... enter image description here

This worked for me but only after forcing the specific verbs to be handled by the default handler.

<system.web>
...
  <httpHandlers>
  ... 
    <add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>

You still use the same configuration as you have above, but also force the verbs to be handled with the default handler and validated. Source: http://forums.asp.net/t/1311323.aspx

An easy way to test is just to deny GET and see if your site loads.

This one disables all bogus verbs and only allows GET and POST

<system.webServer>
  <security>
    <requestFiltering>
      <verbs allowUnlisted="false">
    <clear/>
    <add verb="GET" allowed="true"/>
    <add verb="POST" allowed="true"/>
      </verbs>
    </requestFiltering>
  </security>
</system.webServer>

Source: Stackoverflow.com

Examples related to iis

ASP.NET Core 1.0 on IIS error 502.5 CS1617: Invalid option ‘6’ for /langversion; must be ISO-1, ISO-2, 3, 4, 5 or Default Publish to IIS, setting Environment Variable IIS Manager in Windows 10 The page cannot be displayed because an internal server error has occurred on server The service cannot accept control messages at this time NuGet: 'X' already has a dependency defined for 'Y' Changing project port number in Visual Studio 2013 System.Data.SqlClient.SqlException: Login failed for user "This operation requires IIS integrated pipeline mode."

Examples related to web-config

No assembly found containing an OwinStartupAttribute Error IIS Config Error - This configuration section cannot be used at this path How to enable GZIP compression in IIS 7.5 how to set start page in webconfig file in asp.net c# Authentication issue when debugging in VS2013 - iis express Forms authentication timeout vs sessionState timeout Specified argument was out of the range of valid values. Parameter name: site Access-control-allow-origin with multiple domains "An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page..." ASP.NET: HTTP Error 500.19 – Internal Server Error 0x8007000d

Tags

Functional-dependencies Guava Cherry-pick M Wsma Dotproject Mahjong Bapi Controller-factory Richtextbox Static-analysis Private-inheritance Evc4 Multiple-forms Html-editor Admin-generator Prezi Ethernet Muenchian-grouping Flashbuilder4 Return-code Phar Social-graph Onbeforeunload N2cms Visual-c++-2008-express Mptt Srand Overuse Application-lifecycle Backing-beans Pwd Dotnetnuke-5 Global-assembly-cache Lnk2019 Xmlslurper Exec-maven-plugin Opengl-4 Unordered Diffmerge Data-virtualization Data-linking Xml-configuration Lync Macos Transformer Aggregator Return-value Tlf Article Streaming-video Android-networking Doctrine-orm Form-for Nsproxy Broken-links Nsmanagedobject Soapformatter Indic Argparse Database-driven Vpc Countdownevent Httplistenerrequest Assembly-reference-path Bcc Webchannelfactory Winexe Lithium Reference-implementation Httpserver Pgm Mips32 Differential-equations Vsam Aix Xmlroot Coords Qprocess Propel Temp Fax System.io.fileinfo Data-export Historical-debugging Validationerror Acceleratorkey James Cardlayout Toggle Flex-charts Nhibernate-collections Cellular-network Context-bound Function-attributes Server-side-scripting Fusioncharts Comparison-operators Sharepointfoundation2010 Pascalmock