For security reasons I want to disable those methods through application level so I have this web.config
file:
<configuration> <location path="index.php"> <system.webServer> <directoryBrowse enabled="false" /> </system.webServer> <system.web> <authorization> <deny verbs="OPTIONS" users="*" /> <deny verbs="TRACE" users="*" /> <deny verbs="HEAD" users="*" /> <deny verbs="PROPFIND" users="*" /> <deny verbs="COPY" users="*" /> <deny verbs="LOCK" users="*" /> <deny verbs="UNLOCK" users="*" /> <deny verbs="PROPPATCH" users="*" /> <deny verbs="MKCOL" users="*" /> <deny verbs="MOVE" users="*" /> <deny verbs="DELETE" users="*" /> </authorization> </system.web> </location> </configuration>
But this didn't work - any ideas?
How to fix “Insecure HTTP Method” Enable only HTTP methods on your web server which are necessary for your application to run. Use only GET and POST methods for all HTTP requests where possible.
This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it does grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole.
Finaly I found another answer for this problem. and this is working for me. Just add below datas to the your webconfig file.
<configuration> <system.webServer> <security> <requestFiltering> <verbs allowUnlisted="true"> <add verb="OPTIONS" allowed="false" /> </verbs> </requestFiltering> </security> </system.webServer> </configuration>
Form more information, you can visit this web site: http://www.iis.net/learn/manage/configuring-security/use-request-filtering
if you want to test your web site, is it working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/
This worked for me but only after forcing the specific verbs to be handled by the default handler.
<system.web> ... <httpHandlers> ... <add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/> <add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/> <add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>
You still use the same configuration as you have above, but also force the verbs to be handled with the default handler and validated. Source: http://forums.asp.net/t/1311323.aspx
An easy way to test is just to deny GET and see if your site loads.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With