I blocked HEAD,TRACE in request filtering, but it keeps appearing on the allowed methods list.

동현 곽 0 Reputation points
2023-05-08T00:22:21.9966667+00:00

I blocked HEAD,TRACE in request filtering, but it keeps appearing on the allowed methods list.

It works functionally but does not disappear from the allow method. I don't know why.

User's image

User's image

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,966 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,438 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,293 questions
Windows Server Printing
Windows Server Printing
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Printing: Printer centralized deployment and management, scan and fax resources management, and document services
649 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,061 Reputation points
    2023-05-09T11:13:24.8033333+00:00

    Hello

    Thank you for your question and reaching out.

    You should continue to retain a request filtering rule with the TRACE verb banned in order to effectively stop TRACE requests.

    IIS receives an OPTIONS request from the curl command, and the ProtocolSupportModule creates the response message.

    Sample web.config


    <requestFiltering>

      <verbs allowUnlisted="false">
    
        <clear/>
    
        <add verb="GET" allowed="true" />
    
        <add verb="HEAD" allowed="true" />
    
        <add verb="POST" allowed="true" />
    
      </verbs>
    
    </requestFiltering>
    

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments