IIS - request blocking rule

Asked Oct 30 '20 at 09:22

Active Oct 30 '20 at 09:59

Viewed 451 times

Anyone knows how to create a blocking request rule in IIS that do not meet the following requirements?

custom header HTTP_MyMandatoryHeader must be present
value of HTTP_MyMandatoryHeader must be a specific value

I tried with following IIS Url rewrite rule, but all requests are blocked with this.

<rewrite>
    <rules>
        <rule name="RequestBlockingRule1" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_MyMandatoryHeader}" pattern="^123$" negate="true" />
            </conditions>
            <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
        </rule>
    </rules>
</rewrite>

Thanks, Tom

edited Oct 30 '20 at 09:59

asked Oct 30 '20 at 09:22

Tom

2

Does this answer your question? [UrlRewrite condition based on custom HTTP header](https://stackoverflow.com/questions/43050026/urlrewrite-condition-based-on-custom-http-header) – Matt Evans Oct 30 '20 at 09:27
Indeed, I had the HTTP_, but missed the substitute dashes with underscores. – Tom Oct 30 '20 at 12:52
You don't necessarily need substitute dashes with underscores, you can also refer to this link: [link](https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/setting-http-request-headers-and-iis-server-variables#allowing-server-variables-to-be-changed). – samwu Nov 02 '20 at 08:33

IIS - request blocking rule

0 Answers0