Friday, November 1, 2019

IIS web application to reject HTTP requests without a Host header


Step 1:

Download and install the URL Rewrite module (https://www.iis.net/downloads/microsoft/url-rewrite).

Step 2:

Add the rewrite rule in the web.config for the web application:

<system.webServer> 
......
    <rewrite>
            <rules>
              <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
                <match url="*" />
                    <conditions>
                        <add input="{HTTP_HOST}" pattern="*.*" negate="true" />
                    </conditions>
                    <action type="AbortRequest" />
                </rule>
            </rules>
    </rewrite>

</system.webServer>

Now, any HTTP requests without a "Host:..." header will get a connection reset.

No comments:

 
Get This <