This page provides additional documentation for other Request Filtering settings.
- Hidden Segments
- alwaysAllowedUrls
- denyUrlSequences
- alwaysAllowedQueryStrings
- denyQueryStringSequences
- requestLimits
- filteringRules
- removeServerHeader
- Microsoft Documentation
Hidden Segments
A great way to protect files and folders that should never be requested by a client though are part of the website/application. Any request referencing these locations will get an HTTP 404 response.
Example uses for this setting include:
web.configbinapp_codeapp_data.gitignore.git.vs
Allow specific URL Paths (cs-uri-stem) regardless of other Request Filtering settings.
For example, maxUrl=0 could be set blocking all requests yet an explicitly allowed entry will still be returned.
Block specific URL Paths (cs-uri-stem) regardless of other Request Filtering settings.
Similar to the alwaysAllowedUrls setting (above) however this setting does not take precedence over other settings.
For example, a specified query string added to this list cannot be used to bypass request filtering settings. Other settings take precedence.
Similar to the denyUrlSequences setting (above) however this setting does not take precedence over other settings.
requestLimits includes three settings greatly documented by this module: maxAllowedContentLength, maxUrl, maxQueryString Additionally there is functionality to place size limits on headers.
When a client request exceeds a header limit value an HTTP 431 Request Header Fields Too Large is returned. Not the typical Request Filtering response.
In the following example, the User-Agent header has a max size limit of 2048.
<requestLimits>
<headerLimits>
<add header="User-Agent" sizeLimit="2048" />
</headerLimits>
</requestLimits>Performs string matching on all or some of the following:
cs-uri-stemcs-uri-query- Specified Header Fields
Block requests with User-Agent: InternetScanner.
<filteringRules>
<filteringRule name="BlockUserAgent" scanUrl="false" scanQueryString="false">
<scanHeaders>
<add requestHeader="User-Agent" />
</scanHeaders>
<denyStrings>
<add string="InternetScanner" />
</denyStrings>
</filteringRule>
</filteringRules>If your website utilizes query parameters for SQL commands (not recommended), there is a great Microsoft blog post by Wade Hilmo titled Filtering for SQL Injection on IIS 7 and later. Below is the filteringRule from that post showing how to filter SQL injection commands from the query string. Again, while this technique of interfacing with a database is not recommended it does illustrate a great way to leverage filteringRules.
<filteringRules>
<filteringRule name="SQLInjection" scanQueryString="true">
<appliesTo>
<add fileExtension=".asp" />
<add fileExtension=".aspx" />
</appliesTo>
<denyStrings>
<add string="--" />
<add string=";" />
<add string="/*" />
<add string="@" />
<add string="char" />
<add string="alter" />
<add string="begin" />
<add string="cast" />
<add string="create" />
<add string="cursor" />
<add string="declare" />
<add string="delete" />
<add string="drop" />
<add string="end" />
<add string="exec" />
<add string="fetch" />
<add string="insert" />
<add string="kill" />
<add string="open" />
<add string="select" />
<add string="sys" />
<add string="table" />
<add string="update" />
</denyStrings>
</filteringRule>
</filteringRules>Only available on IIS 10+. Removes the Server response header.
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true">
</requestFiltering>
</security>
</system.webServer>
</configuration>https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/