IIS restricted verbs still go through
I have this in my web.config
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin" />
</hiddenSegments>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
</verbs>
</requestFiltering>
</security>
....
When I check my log, I see requests are still getting through with the HEAD verb.
What did I miss? Isn't it supposed to throw a 403 ?
Solution
I have tried the same configuration as yours at my side and with enabling the failed request tracing i found the WebDAV module is interfering with the request filtering rule. so i would like to suggest you to first remove the WebDAV moule from the list.
Set the below in the config file:
<system.webServer>
<handlers>
<remove name="WebDAV" />
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\webapitest.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
<system.webServer>
<tracing>
<traceFailedRequests>
<add path="*">
<traceAreas>
<add provider="ASP" verbosity="Verbose" />
<add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
<add provider="ISAPI Extension" verbosity="Verbose" />
<add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket,ANCM,Rewrite,RequestRouting" verbosity="Verbose" />
</traceAreas>
<failureDefinitions statusCodes="100-500" />
</add>
</traceFailedRequests>
</tracing>
<modules>
<remove name="WebDAVModule" />
</modules>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
You will get the result as shown below:
- Wrong physical path when using URL Rewrite in IIS
- When hosting .NET Core web app in IIS, what are the pros and cons between "In process" and "out of process" hosting model
- IIS restricted verbs still go through
- How to stop IIS asking authentication for default website on localhost
- IIS Restrict Access to Directory for table of users
- Why is IIS Worker Process locking a file?
- There was an error while performing this operation" error when publishing an old ASP.NET web project on IIS
- Get authenticated user's groups from Active Directory in Node
- WCF Error : 'It is likely that certificate 'my cert' may not have a private key that is capable of key exchange
- IIS & Chrome: failed to load resource: net::ERR_INCOMPLETE_CHUNKED_ENCODING
- API call with certificate over webservice isn't working
- .Net Forms Authentication Issue - 401, even though cookie set
- dotnet publish Error: The process cannot access the file because it is being used by another process
- Change URL project IIS ASP.Net
- Disable WebDav Programatically for .NET 3.1 or greater
- Slim Framework 4 with php 8.1 and IIS Server comunication
- How do I reset IIS Express default mime types / staticContent?
- How to solve Server Error in '/' Application.?
- The Web Application Project [...] is configured to use IIS. The Web server [...] could not be found.
- IIS Express not running in Visual Studio 2019
- Change Host Header with IIS URLRewrite
- How to solve the HTTP Error 403.14 - Forbidden in Asp.Net Core API?
- MSDeploy Unauthorized with command
- dotnet publish error WASM0005: Unable to resolve WebAssembly runtime pack version
- ASP.NET mvc auth or session expires quicker than set
- Add URL rewrite rule on root website for specific URL
- SQL1159 Initialization error with DB2 .NET Data Provider, reason code 10, tokens 0.0.0, 9.7.3
- System.IO Exception after IIS deployment
- How Do You Enable HTTP/3 on IIS?
- Return content is "blank" when deployed on production