Disable HTTP OPTIONS, TRACE, HEAD, COPY and UNLOCK methods in IIS

Question

For security reasons I want to disable those methods through application level so I have this web.config file:

<configuration>
    <location path="index.php">
    <system.webServer>
                <directoryBrowse enabled="false" />
    </system.webServer>

    <system.web>
        <authorization>
            <deny verbs="OPTIONS" users="*" />
            <deny verbs="TRACE" users="*" />
            <deny verbs="HEAD" users="*" />
            <deny verbs="PROPFIND" users="*" />
            <deny verbs="COPY" users="*" />
            <deny verbs="LOCK" users="*" />
            <deny verbs="UNLOCK" users="*" />
            <deny verbs="PROPPATCH" users="*" />
            <deny verbs="MKCOL" users="*" />
            <deny verbs="MOVE" users="*" />
            <deny verbs="DELETE" users="*" />
        </authorization>
    </system.web>

  </location>
</configuration>

But this didn't work - any ideas?

Mahmut EFE · Accepted Answer · 2017-07-31T08:06:59.360

41

Finaly I found another answer for this problem. and this is working for me. Just add below datas to the your webconfig file.

<configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <verbs allowUnlisted="true">
     <add verb="OPTIONS" allowed="false" />
    </verbs>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>

Form more information, you can visit this web site: http://www.iis.net/learn/manage/configuring-security/use-request-filtering

if you want to test your web site, is it working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/

edited Jul 31 '17 at 08:06

answered Mar 27 '15 at 16:48

Mahmut EFE

5,137
5
46
56

Another way to test this is to run a good web scanner against your site (you should do this anyway). If OPTIONS is enabled, it should pick it up. – nmit026 Feb 10 '17 at 06:22
Interesting. With IIS 7.5 I started getting 500.19 errors when I added the lines you mention. Looks like it is conflicting with my applicationHost.config settings. – Brien Malone Dec 29 '17 at 23:20

score 6 · Answer 2 · answered Sep 03 '13 at 06:28

6

This worked for me but only after forcing the specific verbs to be handled by the default handler.

<system.web>
...
  <httpHandlers>
  ... 
    <add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>

You still use the same configuration as you have above, but also force the verbs to be handled with the default handler and validated. Source: http://forums.asp.net/t/1311323.aspx

An easy way to test is just to deny GET and see if your site loads.

answered Sep 03 '13 at 06:28

BrutalDev

6,181
6
58
72

1

even after using your code it does not work me. Can you please suggest what i could be missing. my evnironment is asp.net and IIS – Ram Sep 18 '14 at 08:09
@Ram Without seeing your config or having any knowledge of your environment I cannot suggest anything. Please as a question on SO and reference this question with more detail about your current setup. – BrutalDev Sep 19 '14 at 06:17
1

I am getting HTTP Error 500.23 - Internal Server Error..! @BrutalDev, do you have any idea about this situation.. – Mahmut EFE Mar 27 '15 at 16:21
@MahmutEFE An internal error is unrelated to this question. 500 errors is usually something wrong in your code or configuration, I would start by checking the event log (Event Viewer) for ASP.NET runtime errors to determine what the actual underlying problem is. – BrutalDev Mar 27 '15 at 20:25
1

@brutalDev thanks for your reply. When i apply your solution to the my web config, i got this error. After that i deleted it, the error gone.. But i found another answer. and my answer is below and working for me.. thanks again.. – Mahmut EFE Mar 27 '15 at 21:15

score 5 · Answer 3 · edited Aug 30 '19 at 14:09

5

This one disables all bogus verbs and only allows GET and POST

<system.webServer>
  <security>
    <requestFiltering>
      <verbs allowUnlisted="false">
    <clear/>
    <add verb="GET" allowed="true"/>
    <add verb="POST" allowed="true"/>
      </verbs>
    </requestFiltering>
  </security>
</system.webServer>

edited Aug 30 '19 at 14:09

Paul Roub

36,322
27
84
93

answered Aug 30 '19 at 14:08

Chris Ji

153
1
4

score 4 · Answer 4 · answered Jan 11 '18 at 19:54

For anyone looking for a UI option using IIS Manager.

Open the Website in IIS Manager
Go To Request Filtering and open the Request Filtering Window.
Go to Verbs Tab and Add HTTP Verbs to "Allow Verb..." or "Deny Verb...". This allow to add the HTTP Verbs in the "Deny Verb.." Collection.

Request Filtering Window in IIS Manager

Add Verb... or Deny Verb...

Disable HTTP OPTIONS, TRACE, HEAD, COPY and UNLOCK methods in IIS

4 Answers4

Linked