How to restrict the available HTTP verbs in Microsoft IIS - WKB202491
Article number: 202491
OBJECTIVE or GOAL
Restrict the HTTP server in Microsoft IIS to a small list of allowed verbs.
ENVIRONMENT
- Windows Server 2019/2016/2012
PROCEDURE
- Open IIS Manager.
- Connect to the local server.
- Expand the Sites tree and select Default Web Site.
- Double-click Request Filtering.
- Select the Verbs tab.
- Click Edit Feature Settings....
- Clear the check box "Allow unlisted verbs"
- Click OK.
- Click Allow Verb....
- Type GET and click OK.
- Click Allow Verb....
- Type POST and click OK.
- Repeat steps 4 through 12 for any other website in IIS.
- Restart IIS.
ADDITIONAL INFORMATION
Most web apps use the GET and POST verbs exclusively. GET is the main verb; it is used to request resources from a web server. POST is used by many web apps to accept input from users. Some apps may use the HEAD or PUT verbs; for such cases, add those verbs to the allow list.
A list of HTTP verbs: Hypertext Transfer Protocol - Wikipedia
id202491,