Menu
I am using IIS 8 on Server 2012 and have an MVC website serving extensionless pages. I'm trying to harden IIS by blocking all but an allowed set of extensions in the request filtering section. As extensionless MVC pages have no extension, this is proving somewhat difficult!
I've tried adding .mvc, .aspx and .cshtml to the allowed list to see if any of those would work but by unticking Allow unlisted file name extensions in the Edit Feature Settings menu, I keep getting a 404 error.
Is there any combination of special characters or some kind of keyword I can use to add extensionless addresses to the allowed list so that I can block all unlisted extensions? I really dont want to have to allow unlisted file name extensions and then create a list of hundreds of denied extensions.
Cheers all!
488
Open IIS Manager and select the level for which you want to configure request filter. In Features View, double-click Request Filtering. In the Actions pane, click Edit Feature Settings. In the Edit Request Filtering Settings dialog, edit the settings as desired, and then click OK.
IIS seems to be an application that listens for incoming connections, parses the data sent there as HTTP requests, and maps request urls to directories based on a site an application and a virtual directory , and then does something based on the file present (or not present) on that location.
Sure. To allow extensionless adresses, add <add fileExtension="." allowed="true" /> to your web.config as below:
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="false">
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
Let me know if this helped.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
