Reputation: 71
Extensionless MVC and IIS 8 request filtering
I am using IIS 8 on Server 2012 and have an MVC website serving extensionless pages. I'm trying to harden IIS by blocking all but an allowed set of extensions in the request filtering section. As extensionless MVC pages have no extension, this is proving somewhat difficult!
I've tried adding .mvc, .aspx and .cshtml to the allowed list to see if any of those would work but by unticking Allow unlisted file name extensions in the Edit Feature Settings menu, I keep getting a 404 error.
Is there any combination of special characters or some kind of keyword I can use to add extensionless addresses to the allowed list so that I can block all unlisted extensions? I really dont want to have to allow unlisted file name extensions and then create a list of hundreds of denied extensions.
Cheers all!
Upvotes: 7
Views: 3235
Answers (1)
Reputation: 14569
Sure. To allow extensionless adresses, add <add fileExtension="." allowed="true" /> to your web.config as below:
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="false">
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
Let me know if this helped.
Upvotes: 12
Related Questions
- Sitecore and MVC Filters
- Allow all extensions in ASP.NET MVC URL
- HttpResponse.Filter in MVC 6 / vNext?
- Handling aspx pages with ExtensionLessHandler
- MVC routing for both .mvc and extensionless URLs
- requestFiltering equivalent in IIS 6.0
- MVC 3/4 HttpModule or ActionFilter
- ASP.NET MVC 4 and ExtensionlessUrlHandler
- ASP MVC 2 handlers for extensionless urls in IIS 7.5 not working
- ASP.NET MVC Request filters