We are blocking the requests with header containing Transfer-Encoding.
Only requests with Content Length are allowed.This wil impact to the application by any means, also how is determined to send transfer-encoding or Content-length in a request.
There are two ways to achieve this.
First one, you can use <scanHeaders> to filter some requests with Transfer-Encoding.
You can add a filtering rule like this. It will scan headers to check if Transfer-Encoding exits. If the value is same with Deny Strings, the requests will be blocked.
It is easy to configure and add. But the disadvantage is that he can only judge whether the value of the header matches the Deny String, that is to say, it cannot judge a certain range value. And I haven't found out how to allow a certain header with this rule.
Second one is using url rewrite rule. You can add a rule like this:
<rule name="deny rule" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{Transfer-Encoding}" pattern="value" />
</conditions>
<action type="AbortRequest" />
</rule>
You can set a regular expression to determine the value of the header or a range of values. It is also easy to configure and can allow certain headers. Just change the action type to None.
