HTTP Policy Settings

  • Article

HTTP policy encompasses the following settings:

  • Request header maximum length
  • Request payload length
  • URL protection
  • Executable blocking
  • Denied methods
  • Specified actions for specific file extensions
  • Deny specific headers
  • Modify Server and Via headers
  • Block high bit characters
    When you select Block high bit characters, URLs that contain a double-byte character set (DBCS) or Latin 1 characters will be blocked. These are typically characters from languages that require more than 8 bits to represent the characters of the language, and therefore use 16 bits. This can impact scenarios such as Outlook Web Access publishing, SharePointâ„¢ Portal Server publishing, and any scenario in which a GET request passes a parameter that includes a character from a DBCS.
  • Deny specific signatures
    When you block specific signatures, you are blocking applications that tunnel traffic over HTTP and can be characterized by specific patterns in request headers, response headers, and body (for example, Windows Messenger). HTTP signature blocking will not block applications that use different types of content encoding or range requests.
    Signature examples are provided in Common Application Signatures.

About Range Requests Range requests are requests that specify ranges of data requested for the response. They provide control over continuing downloads that were interrupted, downloading materials sequentially as the user pages through them, or downloading sections of materials as needed.

It is assumed that all HTTP requests and responses are Uniform Transformation Format-8 (UTF-8, a transformation of Unicode character encoding) encoded. If a different encoding scheme is used, signature blocking cannot be performed.

About HTTP Request and Response Headers HTTP requests and responses use headers to send information about the HTTP messages. A header is a series of lines, with each line containing a name followed by a colon and a space, and then a value.

HTTP policy can be applied to client Internet access, and to Web publishing:

  • In client Internet access, you may want to limit client access to specific services available on the Internet. For example, you may want to block a peer-to-peer file sharing service.
  • In Web publishing, you want to use HTTP filtering to block requests that may contain malicious code. Attacks are often known to carry specific signatures and extensions. For example, the Code Red virus made use of the extension .ida. If you block those signatures and extensions, the attacks will not reach your Web servers.