How to arrest '.axd' files from script level/Web.config/IIS & how to set Referrer Http header in Sever Side/Web.config

Sriram K 1 Reputation point

Hi Team,

1: We are using Script manager for 'Alerts & Js' because of this we are identifying ScripResource.axd & webResource.axd files while running the application.

2: We have a created Rule for 'Referer HTTP' header in Web.config file , when trying to tampering the referrer header we are getting response from server side as 200 OK instead of 400 Bad request .

Similarly, the same rule we have applied for other security HTTP headers like 'Origin & Host' Logic worked out , Can you please let us know do we need to add any other condition.

Example for Origin Rule :

<rule name="Origin rule">
<match url="(.*)" />
<add input="{HTTP_ORIGIN}" pattern="(^$|https://domainname)$" negate="true" />
<action type="CustomResponse" statusCode="400" statusReason="Bad Request" />

Kindly suggest us how to overcome in ASP.NET

Internet Information Services
A set of technologies in the .NET Framework for building web applications and XML web services.
3,303 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Lan Huang-MSFT 26,121 Reputation points Microsoft Vendor

    Hi @Sriram K ,

    How to arrest '.axd' files

    You can remove these files by adding the following to all my web.config files:

            <remove path="WebResource.axd" verb="GET"/>  
            <remove path="WebResource.axd" verb="POST"/>  
            <remove path="ScriptResource.axd" verb="GET"/>  
            <remove path="ScriptResource.axd" verb="POST"/>  

    Now when you try to get these pages you might be prompted to login or given 404 error.
    Also remove them from in

             <remove name="ScriptResourceIntegrated-4.0"/>  
    <location path="WebResource.axd">  
     <deny users="*"/>  

    Or you can use *.axd as a disallowed extension in request filtering
    The same effect can be achieved using the following web.config section:

                    <add fileExtension=".axd" allowed="False" />  

    how to set Referrer Http header in Sever Side

    Referer is controlled (and sent) by the client. You can't affect it server-side. There may be some JavaScript that you could emit that'd get the client to do it - but it's probably considered a security flaw.

    Best regards,
    Lan Huang

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.