Friday, January 29, 2021

IIS Configuration: To reject an HTTP request with certain headers


For security, we want to reject HTTP requests with some headers, such as X-HTTP-Method, XHTTP-Method-Override, and X-Method-Override. One trick is to set their size limits to 0 in web.config:

<system.webServer>
   <security>
      <requestFiltering>
         <requestLimits>
            <headerLimits>
               <add header="X-HTTP-Method" sizeLimit="0" />
               <add header="X-HTTP-METHOD-OVERRIDE" sizeLimit="0" />
               <add header="X-Method-Override" sizeLimit="0" />
            </headerLimits>
         </requestLimits>
      </requestFiltering>
   </security>
</system.webServer>

IIS will return an default 404 page if a request contains any of these headers.

Sometimes you may not want to handle the 404 error in your application. Then you can add the <httpErrors> element:

<system.webServer>
   <security>
      <requestFiltering>
         <requestLimits>
            <headerLimits>
               <add header="X-HTTP-Method" sizeLimit="0" />
               <add header="X-HTTP-METHOD-OVERRIDE" sizeLimit="0" />
               <add header="X-Method-Override" sizeLimit="0" />
            </headerLimits>
         </requestLimits>
      </requestFiltering>
   </security>
   <httpErrors existingResponse="PassThrough" />
</system.webServer>


Posted by Zen
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
 Get This <