How to deny HTTP methods (or verbs) for path in ASP.NET app

Question

For security reasons i want to disable some http methods(e.x. OPTIONS,TRACE,HEAD) through application level. I want to do this for all files in directory "bundles/"

But this path is actually created by this

bundles.Add(new Bundle("~/bundles/Something").Include("~/Contents/Scripts/file.js"));
bundles.Add(new Bundle("~/bundles/Anything").Include("~/Areas/Import/Scripts/App/anotherfile.js"));

Fow now I tried this (in Web.config)

<system.web>
  <httpHandlers>
    <add path="bundles/" verb="OPTIONS,TRACE,HEAD" type="System.Web.HttpMethodNotAllowedHandler" />
  </httpHandlers>
</system.web>

but it doesn't work

So, I want user gets 405 Method Not Allowed when making OPTIONS, TRACE, HEAD requests for any link like myapp.com/bundles/example

Thank you

score 2 · Answer 1 · answered Jun 25 '18 at 19:23

I'd do this like that:

<system.web>
    <authorization>
        <deny verbs="OPTIONS" users="*" />
        <deny verbs="TRACE" users="*" />
        <deny verbs="HEAD" users="*" />
    </authorization>

...

    <httpHandlers>
        <add path="bundles" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
        <add path="bundles" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
        <add path="bundles" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>
    </httpHandlers>
</system.web>

It works but for all app pages, but I need to deny methods only for this link "example.com/bundles" — Tomorrow's Explorer, Jun 26 '18 at 12:31

score 1 · Answer 2 · answered Jun 25 '18 at 16:45

Try this

<add path="bundles" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>

How to deny HTTP methods (or verbs) for path in ASP.NET app

2 Answers2