-1

Now I have a website, and run it on IIS & ASP.NET 4.0 .

But now the website has some security problems. "Vulnerability: ASP.NET DEBUG Method Enabled"

So I would like to have my website only accept GET & POST requests.

And I have a MVCHandler by myself, so if I change the verb of the MVCHandler, the request end of ".qs" will implement this rule. Below is the control in web.config.
<add name="MvcHttpHandler" verb="GET,POST" path="*.qs" type="Suryani.Web.Mvc.MvcHttpHandler" />

But my website still has a part of WEBFORM, end by ".aspx". I don't know how to set up the IIS or web.config to make ".aspx" only allow GET & POST.

Any insights/advice/references will be appreciated

Jus0tin
  • 1
  • 1

2 Answers2

0

use...

[HttpPost] or [HttpGet]

on your controller methods

for example...

    [HttpGet]
    public JsonResult MyMethod(int ID)
    {
        try
        {
            return Json(SomeMethod(ID), JsonRequestBehavior.AllowGet);
        }
        catch (Exception e)
        {
            _log.Error(e.Message, e);
            return Json(false, JsonRequestBehavior.AllowGet);
        }
    }
JGilmartin
  • 8,683
  • 14
  • 66
  • 85
  • thanks a lot!!But I have many controllers in the system, so I want to fix this problem by web.config or IIS. Is it possible? – Jus0tin Jun 10 '13 at 10:17
0

But now it has some security problems.

Says who?

"Vulnerability: ASP.NET DEBUG Method Enabled"

Search the web for "ASP.NET disable debug" could help you to pages like Vulnerability Database | Rapid7, Don’t run production ASP.NET Applications with debug=”true” enabled - ScottGu's Blog and so on.

And I have a MVCHandler by myself, so if I change the verb of the MVCHandler, the request end of ".qs" will implement this rule.

What?

But my website still has a part of WEBFORM, end by ".aspx". I don't know how to set up the IIS or web.config to make ".aspx" only allow GET & POST.

Configure your handlers.

Community
  • 1
  • 1
CodeCaster
  • 147,647
  • 23
  • 218
  • 272