在IIS中禁用HTTP OPTIONS，TRACE，HEAD，COPY和UNLOCK方法 [英] Disable HTTP OPTIONS, TRACE, HEAD, COPY and UNLOCK methods in IIS

问题描述

出于安全考虑，我想通过应用程序级别
禁用这些方法，所以我有这个web.config文件

For security reasons i want to disable those methods through application level so i have this web.config file

<configuration>
<location path="index.php">
<system.webServer>
            <directoryBrowse enabled="false" />
</system.webServer>

<system.web>
    <authorization>
        <deny verbs="OPTIONS" users="*" />
        <deny verbs="TRACE" users="*" />
        <deny verbs="HEAD" users="*" />
        <deny verbs="PROPFIND" users="*" />
        <deny verbs="COPY" users="*" />
        <deny verbs="LOCK" users="*" />
        <deny verbs="UNLOCK" users="*" />
        <deny verbs="PROPPATCH" users="*" />
        <deny verbs="MKCOL" users="*" />
        <deny verbs="MOVE" users="*" />
        <deny verbs="DELETE" users="*" />
    </authorization>
</system.web>

但是这个没有工作
任何想法？

but this didn't work any ideas ?

推荐答案

这对我有用但只有在强制处理特定动词之后默认处理程序。

This worked for me but only after forcing the specific verbs to be handled by the default handler.

<system.web>
...
  <httpHandlers>
  ... 
    <add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>

您仍然使用与上面相同的配置，但也强制处理动词默认处理程序和验证。资料来源： http://forums.asp.net/t/1311323.aspx

You still use the same configuration as you have above, but also force the verbs to be handled with the default handler and validated. Source: http://forums.asp.net/t/1311323.aspx

一种简单的测试方法就是拒绝GET并查看您的网站是否加载。

An easy way to test is just to deny GET and see if your site loads.

这篇关于在IIS中禁用HTTP OPTIONS，TRACE，HEAD，COPY和UNLOCK方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！