I blocked HEAD,TRACE in request filtering, but it keeps appearing on the allowed methods list.

동현 곽 0 Reputation points
2023-05-08T00:22:21.9966667+00:00

I blocked HEAD,TRACE in request filtering, but it keeps appearing on the allowed methods list.

It works functionally but does not disappear from the allow method. I don't know why.

User's image

User's image

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
7,529 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
9,515 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,051 questions
Windows Server Printing
Windows Server Printing
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Printing: Printer centralized deployment and management, scan and fax resources management, and document services
555 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 26,656 Reputation points
    2023-05-09T11:13:24.8033333+00:00

    Hello

    Thank you for your question and reaching out.

    You should continue to retain a request filtering rule with the TRACE verb banned in order to effectively stop TRACE requests.

    IIS receives an OPTIONS request from the curl command, and the ProtocolSupportModule creates the response message.

    Sample web.config

    <requestFiltering>

      <verbs allowUnlisted="false">

    <clear/>

    <add verb="GET" allowed="true" />

    <add verb="HEAD" allowed="true" />

    <add verb="POST" allowed="true" />

  </verbs>

</requestFiltering>

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments