How can we deny certain HTTP methods in IIS?
Question
I would like to disable HTTP methods in web.config but i couldn't do it. I just would like to enable GET & POST methods. Tried like this:
<security>
<requestFiltering>
<verbs allowUnlisted="false" applyToWebDAV="true">
<clear/>
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
<add verb="OPTIONS" allowed="false" />
<add verb="TRACE" allowed="false"/>
<add verb="TRACK" allowed="false"/>
<add verb="HEAD" allowed="false"/>
<add verb="PROPFIND" allowed="false"/>
<add verb="PUT" allowed="false"/>
<add verb="COPY" allowed="false"/>
<add verb="LOCK" allowed="false"/>
<add verb="UNLOCK" allowed="false"/>
<add verb="PROPPATCH" allowed="false"/>
<add verb="MKCOL" allowed="false"/>
<add verb="MOVE" allowed="false"/>
<add verb="DELETE" allowed="false"/>
<add verb="SEARCH" allowed="false"/>
</verbs>
</requestFiltering>
</security>
Am I doing something wrong? I've search a lot but what do you prefer for disabling this verbs?
1 answers
solution1
0 2017-02-06 17:48:02
Just a little hunch, can you try removing applytoWebDAV attribute and see?
<requestFiltering>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
</verbs>
</requestFiltering>
I think WebDAV extension module may have something to do with it. Usually if you go to IIS and Request Filtering, you can allow/deny verbs. It ultimately generates the same config file you mentioned.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.