IIS restricted verbs still go through
I have this in my web.config
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin" />
</hiddenSegments>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
</verbs>
</requestFiltering>
</security>
....
When I check my log, I see requests are still getting through with the HEAD verb.
What did I miss? Isn't it supposed to throw a 403 ?
Solution
I have tried the same configuration as yours at my side and with enabling the failed request tracing i found the WebDAV module is interfering with the request filtering rule. so i would like to suggest you to first remove the WebDAV moule from the list.
Set the below in the config file:
<system.webServer>
<handlers>
<remove name="WebDAV" />
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\webapitest.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
<system.webServer>
<tracing>
<traceFailedRequests>
<add path="*">
<traceAreas>
<add provider="ASP" verbosity="Verbose" />
<add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
<add provider="ISAPI Extension" verbosity="Verbose" />
<add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket,ANCM,Rewrite,RequestRouting" verbosity="Verbose" />
</traceAreas>
<failureDefinitions statusCodes="100-500" />
</add>
</traceFailedRequests>
</tracing>
<modules>
<remove name="WebDAVModule" />
</modules>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
You will get the result as shown below:
- Deploy ReactJS on IIS within subfolder
- What account does IIS Express run under?
- MVC 6 Hosted on IIS HTTP Error 500.19
- IIS server error .Server Error in '/' Application
- Automatically start up ASP.NET app pool?
- Keyset does not exist / Identity invalid
- Deploying website: 500 - Internal server error
- Turning off the WAWebSiteSID cookie on an IIS website
- Wrong physical path when using URL Rewrite in IIS
- When hosting .NET Core web app in IIS, what are the pros and cons between "In process" and "out of process" hosting model
- IIS restricted verbs still go through
- How to stop IIS asking authentication for default website on localhost
- IIS Restrict Access to Directory for table of users
- Why is IIS Worker Process locking a file?
- There was an error while performing this operation" error when publishing an old ASP.NET web project on IIS
- Get authenticated user's groups from Active Directory in Node
- WCF Error : 'It is likely that certificate 'my cert' may not have a private key that is capable of key exchange
- IIS & Chrome: failed to load resource: net::ERR_INCOMPLETE_CHUNKED_ENCODING
- API call with certificate over webservice isn't working
- .Net Forms Authentication Issue - 401, even though cookie set
- dotnet publish Error: The process cannot access the file because it is being used by another process
- Change URL project IIS ASP.Net
- Disable WebDav Programatically for .NET 3.1 or greater
- Slim Framework 4 with php 8.1 and IIS Server comunication
- How do I reset IIS Express default mime types / staticContent?
- How to solve Server Error in '/' Application.?
- The Web Application Project [...] is configured to use IIS. The Web server [...] could not be found.
- IIS Express not running in Visual Studio 2019
- Change Host Header with IIS URLRewrite
- How to solve the HTTP Error 403.14 - Forbidden in Asp.Net Core API?