Skip to main content
Waters Employee Login
 
Waters

How to restrict the available HTTP verbs in Microsoft IIS - WKB202491

  1. Last updated
  2. Save as PDF
Article number: 202491

OBJECTIVE or GOAL

Restrict the HTTP server in Microsoft IIS to a small list of allowed verbs.

ENVIRONMENT

  • Windows Server 2019/2016/2012

PROCEDURE

  1. Open IIS Manager.
  2. Connect to the local server.
  3. Expand the Sites tree and select Default Web Site.
  4. Double-click Request Filtering.
  5. Select the Verbs tab.
  6. Click Edit Feature Settings....
  7. Clear the check box "Allow unlisted verbs"
  8. Click OK.
  9. Click Allow Verb....
  10. Type GET and click OK.
  11. Click Allow Verb....
  12. Type POST and click OK.
  13. Repeat steps 4 through 12 for any other website in IIS.
  14. Restart IIS.

ADDITIONAL INFORMATION

Most web apps use the GET and POST verbs exclusively. GET is the main verb; it is used to request resources from a web server. POST is used by many web apps to accept input from users. Some apps may use the HEAD or PUT verbs; for such cases, add those verbs to the allow list.

A list of HTTP verbs: Hypertext Transfer Protocol - Wikipedia

id202491,

Not able to find a solution? Click here to request help.