7

I am using IIS 8 on Server 2012 and have an MVC website serving extensionless pages. I'm trying to harden IIS by blocking all but an allowed set of extensions in the request filtering section. As extensionless MVC pages have no extension, this is proving somewhat difficult!

I've tried adding .mvc, .aspx and .cshtml to the allowed list to see if any of those would work but by unticking Allow unlisted file name extensions in the Edit Feature Settings menu, I keep getting a 404 error.

Is there any combination of special characters or some kind of keyword I can use to add extensionless addresses to the allowed list so that I can block all unlisted extensions? I really dont want to have to allow unlisted file name extensions and then create a list of hundreds of denied extensions.

Cheers all!

Improve this question
1
  • 2
    Is my answer helpful? If so feel free to accept and/or upvote ше if, or provide a feedback so I could improve it. Otherwise this thread looks abandoned and kinda useless for further readers. Thank you! Commented Sep 21, 2018 at 14:20

1 Answer 1

Reset to default
13

Sure. To allow extensionless adresses, add <add fileExtension="." allowed="true" /> to your web.config as below:

  <system.webServer>
    <security>
      <requestFiltering>
        <fileExtensions allowUnlisted="false">
          <add fileExtension="." allowed="true" />
        </fileExtensions>
      </requestFiltering>
    </security>
  </system.webServer>

Let me know if this helped.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.