Reputation: 1317
MVC3 Custom attribute to deny HTTP Verbs
In Asp.net web application we can use below line of code in web.config file to deny HttpVerbs but MVC uses action controller for routing and Authorize attribute for authorization.
So we would like to create custom attribute to handle this.
How to create custom attribute to deny some HTTP Verbs by default on all action methods and only allow HTTPGet and HTTPPost.
<deny verbs="*" users="*" />
Upvotes: 1
Views: 588
Answers (1)
Reputation: 39807
If you want to disallow all verbs except GET and POST, you can do the following in your web.config file.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Example code and other reading here
By placing this in the web.config, you can "short circuit" the .NET pipeline and allow IIS to choose if it should respond to the request or not (which is more efficient for your application).
Upvotes: 4
Related Questions
- Deny direct URL access to action method
- How to block some HTTP methods to specific URL?
- How to deny HTTP methods (or verbs) for path in ASP.NET app
- Asp.net Mvc custom mechanism to handle unauthorized request
- C# attribute to prevent method execution
- Restrict attribute routes to specific HTTP verbs
- Attribute to make Action not available
- Restricting access to controller methods in ASP.NET MVC 3
- How do I make MVC discard requests with verbs other than specified in the constraint?
- Limiting HTTP verbs on every action