For security, we want to reject HTTP requests with some headers, such as X-HTTP-Method, XHTTP-Method-Override, and X-Method-Override. One trick is to set their size limits to 0 in web.config:
<system.webServer>
<security>
<requestFiltering>
<requestLimits>
<headerLimits>
<add header="X-HTTP-Method" sizeLimit="0" />
<add header="X-HTTP-METHOD-OVERRIDE" sizeLimit="0" />
<add header="X-Method-Override" sizeLimit="0" />
</headerLimits>
</requestLimits>
</requestFiltering>
</security>
</system.webServer>
IIS will return an default 404 page if a request contains any of these headers.
Sometimes you may not want to handle the 404 error in your application. Then you can add the <httpErrors> element:
<system.webServer>
<security>
<requestFiltering>
<requestLimits>
<headerLimits>
<add header="X-HTTP-Method" sizeLimit="0" />
<add header="X-HTTP-METHOD-OVERRIDE" sizeLimit="0" />
<add header="X-Method-Override" sizeLimit="0" />
</headerLimits>
</requestLimits>
</requestFiltering>
</security>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
No comments:
Post a Comment