How to disable some HTTP Methods for a .net MVC application hosted in Azure Platform

Question

How to disable some HTTP Methods for a .net MVC application hosted in Azure Platform

Anonymous

Hi Team,

I want to disable some HTTP Methods like OPTIONS,MOVE,PATCH,TRACE for my .net mvc application hosted in Azure platform. I tried some changes in web.config file but was in vain. Please let me know the steps.

P.S : We are not connected to IIS.

Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-11-24T11:26:08.97+00:00

Hi Thanks for the question - when you say "you are not connected to IIS" do you mean you're hosting on Linux app service (for example) as you list app service as the host (in the question tags)
AgaveJoe 1,510 Reputation points

2023-11-24T12:32:52.3933333+00:00

It is not possible to stop a client from sending OPTIONS, MOVE, PATCH or TRACE. What exactly do you want to happen if a client sends one of these methods?
Anonymous

2023-11-24T14:31:52.0833333+00:00

@AgaveJoe , Thanks for your reply. I need to block some methods like OPTIONS,PUT,PATCH,DELETE,TRACE,PROPFIND, etc...and show 404 error when client sends these methods.
Lex Li (Microsoft) 6,032 Reputation points Microsoft Employee

2023-11-25T00:16:23.31+00:00

ASP.NET MVC or ASP.NET Core MVC? Windows or Linux? If those are not clear, this question cannot be answered.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Anonymous

2023-11-25T17:16:32.5233333+00:00

@Ben Gimblett , No, It is fully Azure based.

Accepted answer

0 additional answers

Your answer

Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-11-24T11:26:08.97+00:00

Hi Thanks for the question - when you say "you are not connected to IIS" do you mean you're hosting on Linux app service (for example) as you list app service as the host (in the question tags)
AgaveJoe 1,510 Reputation points

2023-11-24T12:32:52.3933333+00:00

It is not possible to stop a client from sending OPTIONS, MOVE, PATCH or TRACE. What exactly do you want to happen if a client sends one of these methods?
Anonymous

2023-11-24T14:31:52.0833333+00:00

@AgaveJoe , Thanks for your reply. I need to block some methods like OPTIONS,PUT,PATCH,DELETE,TRACE,PROPFIND, etc...and show 404 error when client sends these methods.
Lex Li (Microsoft) 6,032 Reputation points Microsoft Employee

2023-11-25T00:16:23.31+00:00

ASP.NET MVC or ASP.NET Core MVC? Windows or Linux? If those are not clear, this question cannot be answered.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Anonymous

2023-11-25T17:16:32.5233333+00:00

@Ben Gimblett , No, It is fully Azure based.

Answer 1

Hi @Jain, Akshitha,

Here are the multiple ways to disabling specific HTTP methods for an Azure-hosted .NET MVC application:

1)You can handle the Application_BeginRequest event in the Global.asax file to check for the HTTP method and terminate requests that use methods you want to disable.

protected void Application_BeginRequest(object sender, EventArgs e)
   {
       if (Request.HttpMethod == "OPTIONS" || Request.HttpMethod == "TRACE" /* ... other methods ... */)
       {
           Response.StatusCode = 403; // Forbidden
           Response.End();
       }
   }

2)If you are using ASP.NET Core, you can implement middleware to check for the HTTP method and short-circuit the pipeline if it matches one of the methods you wish to block.

3)You can create a custom action filter to reject requests with unwanted HTTP methods.

public class BlockHttpMethodsAttribute : ActionFilterAttribute
     {
         private readonly string[] _methods;
         public BlockHttpMethodsAttribute(params string[] methods)
         {
             _methods = methods;
         }
         public override void OnActionExecuting(ActionExecutingContext filterContext)
         {
             if (_methods.Contains(filterContext.HttpContext.Request.HttpMethod, StringComparer.OrdinalIgnoreCase))
             {
                 filterContext.Result = new HttpStatusCodeResult(405); // Method Not Allowed
             }
         }
     }

You can then apply this filter globally or to specific controllers/actions in your application.

Best regards,
Jalpa Panchal

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Anonymous

2023-11-25T16:45:54.62+00:00

@Anonymous , Thanks for your reply. Will implement and let you know.
Anonymous

2023-11-27T15:56:35.52+00:00

@Anonymous , Can I handle this it in Application_Start event in Global.asax.cs?
Anonymous

2023-11-28T08:32:15.4433333+00:00

about handling methods in the Application_Start event in Global.asax.cs, the Application_Start event is typically used to initialize application-level settings, such as registering routes, bundle configurations, etc., not for handling each request. The interception of requests is usually done in Application_BeginRequest, which is an event triggered at the beginning of every HTTP request.you could try to disable them through Azure's application settings or network configuration.
Anonymous

2023-12-11T08:36:56.5466667+00:00

@Anonymous , Thanks for your solution. It worked.

Share via

How to disable some HTTP Methods for a .net MVC application hosted in Azure Platform

0 additional answers

Your answer