Thursday, December 15, 2011

Request Method Filtering in IIS7


The <requestFiltering> tag is located under the following location in the XML config file: /configuration/system.webServer/security/. There are 5 child tags of the requestFiltering tag:
  • denyUrlSequences - Used to deny specific URI's
  • fileExtensions - Used to deny specific file extensions, or allow only a whitelist of file extensions.
  • hiddenSegments - Used to hide URI sequences
  • requestLimits - Used to limit the size of elements in the HTTP Request (query string, headers, url, content length, etc)
  • verbs - Deny HTTP verbs (such as POST, TRACE, PUT, DELETE, etc)
  •  

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <!-- block /CFIDE -->
            <denyUrlSequences>
               <add sequence="/CFIDE"/>
            </denyUrlSequences>
            <!-- block all file extensions except cfm,js,css,html -->
            <fileExtensions allowUnlisted="false" applyToWebDAV="true">
               <add fileExtension=".cfm" allowed="true" />
               <add fileExtension=".js" allowed="true" />
               <add fileExtension=".css" allowed="true" />
               <add fileExtension=".html" allowed="true" />
            </fileExtensions>
            <!-- hide configuration dir -->
            <hiddenSegments applyToWebDAV="true">
               <add segment="configuration" />
            </hiddenSegments>
            <!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars -->
            <requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" />
            <!-- only allow GET,POST verbs -->
            <verbs allowUnlisted="false" applyToWebDAV="true">
               <add verb="GET" allowed="true" />
               <add verb="POST" allowed="true" />
            </verbs>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
Taken from Freshers click here

No comments:

Post a Comment