Tomorrow's Explorer
Reputation: 75
How to block some HTTP methods to specific URL?
For security reasons, i want to disable some http methods(e.x. OPTIONS, TRACE, HEAD) for URL through application level.
URL is "mywebsite.com/bundles/"
I tried this
<system.web>
<authorization>
<deny verbs="OPTIONS" users="*" />
<deny verbs="TRACE" users="*" />
<deny verbs="HEAD" users="*" />
</authorization>
...
<httpHandlers>
<add path="bundles" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>
</httpHandlers>
And it blocks http methods for all app, but I want only for "/bundles" and it's files and subdirectories.
But "bundles" is not physical path in my app, but virtual
bundles.Add(new Bundle("~/bundles/Something").Include("~/Contents/Scripts/file.js"));
bundles.Add(new Bundle("~/bundles/Anything").Include("~/Areas/Import/Scripts/App/anotherfile.js"));
Upvotes: 0
Views: 677
Answers (1)
MisterSmith
Reputation: 3624
You should be able to use a <location> element to restrict any enclosed directives to just the path you specify. E.g.
<location path="bundles">
<system.web>
<authorization>
<deny verbs="OPTIONS" users="*" />
</authorization>
</system.web>
</location>
See https://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx
Upvotes: 1
Related Questions
- How to block access to controller via changing Url in ASP.NET Core?
- How block specific page URL in IIS?
- Deny direct URL access to action method
- how to disable http methods via iis
- How to deny HTTP methods (or verbs) for path in ASP.NET app
- How do I restrict a method call disabling it in webconfig?
- How can I prevent requests from certain domain in web.config?
- Disable HTTP module for specific route in MVC web app
- MVC 3, prevent people browsng on server through URL
- allow requests from specific url