I have this in my web.config

<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                <hiddenSegments>
                    <remove segment="bin" />
                </hiddenSegments>
                <verbs allowUnlisted="false">
                    <add verb="GET" allowed="true" />   
                    <add verb="POST" allowed="true" />                      
                </verbs>
            </requestFiltering>
        </security>

....

When I check my log, I see requests are still getting through with the HEAD verb. What did I miss? Isn't it supposed to throw a 403 ?

I have this in my web.config

<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                <hiddenSegments>
                    <remove segment="bin" />
                </hiddenSegments>
                <verbs allowUnlisted="false">
                    <add verb="GET" allowed="true" />   
                    <add verb="POST" allowed="true" />                      
                </verbs>
            </requestFiltering>
        </security>

....

When I check my log, I see requests are still getting through with the HEAD verb. What did I miss? Isn't it supposed to throw a 403 ?

• iis

• What kind of web apps and what other IIS settings did you touch? By default request filtering settings can only be configured in applicationHost.config, not web.config. – Lex Li Commented Mar 30 at 16:11
• I configured in web.config under configuration/system.webServer I was under the impression it was supported – Eric Commented Mar 30 at 17:26
• You might enable FRT on HEAD requests, and status code 200-999, learn.microsoft/troubleshoot/developer/webapps/iis/… Then the trace should tell which modules touch the request in IIS pipeline and you get started from there. – Lex Li Commented Mar 30 at 22:15

1 Answer 1

I have tried the same configuration as yours at my side and with enabling the failed request tracing i found the WebDAV module is interfering with the request filtering rule. so i would like to suggest you to first remove the WebDAV moule from the list.

Set the below in the config file:

 <system.webServer>
      <handlers>
                <remove name="WebDAV" />
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\webapitest.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
    </system.webServer>
  </location>
    <system.webServer>
        <tracing>
            <traceFailedRequests>
                <add path="*">
                    <traceAreas>
                        <add provider="ASP" verbosity="Verbose" />
                        <add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
                        <add provider="ISAPI Extension" verbosity="Verbose" />
                        <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket,ANCM,Rewrite,RequestRouting" verbosity="Verbose" />
                    </traceAreas>
                    <failureDefinitions statusCodes="100-500" />
                </add>
            </traceFailedRequests>
        </tracing>
        <modules>
            <remove name="WebDAVModule" />
        </modules>
        <security>
            <requestFiltering>
                <verbs allowUnlisted="false">
                    <add verb="GET" allowed="true" />
                    <add verb="POST" allowed="true" />
                </verbs>
            </requestFiltering>
        </security>
    </system.webServer>

You will get the result as shown below: