-1

We have an application which is developed using MVC3 and .Net framework 4.0. To prevent HTTP Verb Tampering, we have included below code in application's web.config file. In local machine given fix was working as expected and returns 401 unauthorized code. 

   <authorization>
      <allow verbs="GET" users="*" />
      <allow verbs="POST" users="*" />
      <deny verbs="*" />
    </authorization>

When we deployed the same code, test result returns 202 OK. So the fix is not working. Is there any way around that we can fix this issue?

Tech Learner
  • 1,227
  • 6
  • 24
  • 59

1 Answers1

1

Are you are working with the "Play" button on Visual Studio? Is this using a IIS Express or are you really "deploying" that to an IIS WebAPP on your local machine?

I usually do not use the "Play" button when I am developing for IIS, specially when I am developing for a specif IIS Server. When that happens, I try to have the same IIS Server configuration on my machine and create a WebApp pointing to my Dev folder to test it.

If you are having trouble to config your web.config, I would use the IIS visual tools, check the modifications made on the web.config and commit that.

Please note that there are some differences in the configuration in the ASP.NET side and on the IIS side:

Please check this website: https://learn.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization

And refer to these notes:

Differences Between ASP.NET URL Authorization and IIS URL Authorization

There are small but important differences between ASP.NET UrlAuthorization and IIS URL Authorization.

ASP.NET Url Authorization is installed when you install ASP.NET on top of IIS.

This refers to IIS 7.0 Even though several configurations are compatible between one IIS to another, some specific changes might apply.

rodrigogq
  • 1,943
  • 1
  • 16
  • 25