Request Filtering
Applies To: Windows Server 2012 R2, Windows Server 2012
Use the Request Filtering feature page to configure filtering rules for your website. Web request filtering, similarly to FTP request filtering, lets you restrict protocol and content behavior.
Related scenarios
In this document
UI Elements for Request Filtering
The following tables describe the UI elements that are available on the feature page and in the Actions pane.
Feature Page Elements
Element Name |
Description |
---|---|
File Name Extensions |
Specifies a list of file name extensions for which the request-filtering service allows or denies access. |
Rules |
Lists the filtering rules and the specific parameters for which the request-filtering service should scan. These parameters include headers, file name extensions, and deny strings. |
Hidden Segments |
Specifies a list of hidden segments for which the request-filtering service denies access. These segments do not display in directory listings. |
URL |
Specifies a list of URL sequences for which the request-filtering service allows or denies access. |
HTTP Verbs |
Specifies a list of HTTP verbs for which the request-filtering service allows or denies access. |
Headers |
Specifies the headers and their size limits for which the request-filtering service denies access. |
Query Strings |
Specifies the query strings for which the request-filtering service denies access. |
Actions Pane Elements
Element Name |
Description |
---|---|
Edit Feature Settings |
Opens the Edit Request Filtering Settings dialog box that lets you configure general properties and request limits. |
Remove |
Removes a file name extension, rule, hidden segment, URL sequence, HTTP verb, header, or query string from the list. |
Edit Request Filtering Settings Dialog Box
Use the Edit Request Filtering Settings dialog box to configure general settings and request limits on your Web server.
Element Name |
Description |
||
---|---|---|---|
Allow unlisted file name extensions |
Select this option to allow unlisted file name extensions. |
||
Allow unlisted verbs |
Select this option to allow unlisted verbs. |
||
Allow high-bit characters |
Select this option to allow high-bit characters in request filter operations. Examples of high-bit characters are: Ж, Ы, and Я. |
||
Allow double escaping |
Select this option to allow double escaping. |
||
Maximum allowed content length (Bytes) |
Specifies the maximum length, in bytes, for content.
|
||
Maximum URL length (Bytes) |
Specifies the maximum length, in bytes, for a URL string. |
||
Maximum query string (Bytes) |
Specifies the maximum length, in bytes, for a query string. |
File Name Extensions Tab
Use the File Name Extensions tab to create a list of file name extensions for which the request-filtering module allows or denies access. This helps restrict certain file types and increase security on your web server.
Feature Page Elements
Element Name |
Description |
---|---|
File Name Extension |
Displays the file name extension for which the request-filtering module either allows or denies access. |
Allowed |
Displays the status of the file name extension. The status is True if the file name extension is allowed, or False if the file name extension is denied. |
Actions Pane Elements
Element Name |
Description |
---|---|
Allow File Name Extension |
Opens the Allow File Name Extension dialog box that lets you add a file name extension to the list of allowed file name extensions. |
Deny File Name Extension |
Opens the Deny File Name Extension dialog box that lets you add a file name extension to the list of denied file name extensions. |
For common elements, see the Request Filtering [w8].
Allow or Deny File Name Extension Dialog Boxes
Use the Allow File Name Extension or Deny File Name Extension dialog box to add a file name extension to the list of file name extensions for which the request-filtering module will allow or deny access.
Element Name |
Description |
---|---|
File name extension |
Specifies the file name extension for which the request-filtering service either allows or denies access. |
Rules Tab
Use the Rules tab to configure request-filtering rules for allowing or denying access to your Web server based on several parameters, such as headers and deny strings. For examples of filtering rules, see Common URLScan Scenarios.
Feature Page Elements
Element Name |
Description |
---|---|
Name |
Displays the name of the request-filtering rule. |
Scan |
Displays the value that the request-filtering rule scans for the URL, query string, or any combination thereof. |
Applies To |
Displays the parameters to which the request-filtering rule applies. |
Deny Strings |
Displays the strings to which the request-filtering rule denies access. |
Actions Pane Elements
Element Name |
Description |
---|---|
Add Filtering Rule |
Opens the Add Filtering Rule dialog box that lets you add a rule with specific parameters for which to scan. |
For common elements, see the Request Filtering [w8].
Add Filtering Rule Dialog Box
Use the Add Filtering Rule dialog box to add a rule with specific parameters to the request-filtering module’s rule list. This action enables the module to deny requests that fit the criteria specified by the rule.
Element Name |
Description |
---|---|
Name |
Specifies the name of the filtering rule that is added to the list. |
Scan url |
Select this option and the request-filtering module scans a request URL. |
Scan query string |
Select this option and the request-filtering module scans a request query string. |
Scan Headers |
Adds a user-specified header to the list of headers to search for in the request. Use the asterisk (*) to add a row to the table. |
Applies To |
Adds a file name extension to the list of file name extensions to which this request-filtering rule applies. Use the asterisk (*) to add a row to the table. |
Deny Strings |
Adds a string to the list of strings to search for in the request. If the specified string is found in the request URL, query string, or header, then the request is denied. Use the asterisk (*) to add a row to the table. |
Hidden Segments Tab
Use the Hidden Segments tab to define the list of URL segments for which the request-filtering module will deny access and will exclude from directory listings. A URL segment is the part of the URL path that lies between the slash (/) marks.
Feature Page Elements
Element Name |
Description |
---|---|
Segment |
Displays the URL segment for which the request-filtering service denies access and which it does not display in directory listings. |
Actions Pane Elements
Element Name |
Description |
---|---|
Add Hidden Segment |
Opens the Add Hidden Segment dialog box that lets you add a hidden segment to the list of hidden segments. |
For common elements, see the Request Filtering [w8].
Add Hidden Segment Dialog Box
Use the Add Hidden Segment dialog box to add a URL segment to the list of URL segments for which the request-filtering module will deny access. A URL segment is a part of the URL path that lies between the slash (/) marks.
Element Name |
Description |
||
---|---|---|---|
Hidden segment |
Specifies the URL segment for which the request-filtering module denies access.
|
URL Tab
Use the Deny URL Sequences tab to create a list of URL sequences for which the request-filtering module will deny access. For example, you can specify “admin/config.xml” as a URL sequence, which denies requests to https://contoso.com/application/admin/config.xml.
Feature Page Elements
Element Name |
Description |
---|---|
Deny URL Sequence |
Displays the URL sequence for which the request-filtering module will deny access. |
Actions Pane Elements
Element Name |
Description |
---|---|
Allow URL |
Opens the Add Always Allowed URL dialog box that lets you add a URL to the list of allowed URLs. |
Deny Sequence |
Opens the Add Deny Sequence dialog box that lets you add a sequence to the list of denied sequences. |
For common elements, see the Request Filtering [w8].
Allow URL Dialog Box
Use the Add Always Allowed URL dialog box to add a URL sequence to the list of URL sequences for which the request-filtering module will always grant access.
Element Name |
Description |
---|---|
URL |
Specifies the URL for which the request-filtering module always grants access. |
Add Deny Sequence Dialog Box
Use the Add Deny Sequence dialog box to add a URL sequence to the list of URL sequences for which the request-filtering module will deny access.
Element Name |
Description |
---|---|
URL sequence |
Specifies the URL sequence for which the request-filtering module denies access. |
HTTP Verbs Tab
Use the HTTP Verbs tab to create a list of verbs for which the request-filtering module will allow or deny access. Several examples of HTTP verbs are: GET, POST, and HEAD.
Feature Page Elements
Element Name |
Description |
||
---|---|---|---|
Verb |
Displays the verb for which the request-filtering module either allows or denies access. |
||
Allowed |
Displays the status of the verb, which will be either True if the verb is allowed, or False if the verb is denied.
|
Actions Pane Elements
Element Name |
Description |
---|---|
Allow Verb |
Opens the Allow Verb dialog box that lets you add a verb to the list of allowed verbs. |
Deny Verb |
Opens the Deny Verb dialog box that lets you add a verb to the list of denied verbs. |
For common elements, see the Request Filtering [w8].
Allow or Deny Verb Dialog Boxes
Use the Allow Verb dialog box to add a verb to the list of HTTP verbs for which the request-filtering module will allow access. Use the Deny Verb dialog box to add a verb to the list of HTTP verbs for which the request-filtering module will deny access.
Element Name |
Description |
---|---|
Verb |
Specifies the HTTP verb for which the request-filtering module either allows or denies access. |
Headers Tab
Use the Headers tab to create a list of headers for which the request-filtering module will deny access if the value of a header is larger than the specified size.
Feature Page Elements
Element Name |
Description |
---|---|
Header |
Displays the header for which the request-filtering module denies access if the size is larger than the specified size. |
Size Limit |
Displays the maximum size allowed for the header. For example, specifying a value of 100 would limit the length of a content-type header to 100 bytes. |
Actions Pane Elements
Element Name |
Description |
---|---|
Add Header |
Opens the Add Header dialog box that lets you add a header to the list of denied headers. |
For common elements, see the Request Filtering [w8].
Add Header Dialog Box
Use the Add Header dialog box to specify a size limit for a particular HTTP header. If a header’s length exceeds the specified value, then the HTTP request that contains this header is denied.
Element Name |
Description |
---|---|
Header |
Specifies the header for which the request-filtering module checks the size limit. |
Size limit |
Specifies the maximum character length for the header’s value. |
Query Strings Tab
Use the Query Strings tab to create a list of query strings for which the request-filtering module will either always allow or deny access. An example of a query string is “%3b”, which is used to catch SQL injection attempts.
Feature Page Elements
Element Name |
Description |
---|---|
Query String |
Displays the query string for which the request-filtering module either allows or denies access. |
Action |
Displays the status of the query string, which will be either Always allow or Deny. |
Actions Pane Elements
Element Name |
Description |
---|---|
Allow Query String |
Opens the Allow Query String dialog box that lets you add a query string that the request-filtering service will always allow. |
Deny Query String |
Opens the Deny Query String dialog box that lets you add a query string that the request-filtering service will deny. |
For common elements, see the Request Filtering [w8].
Allow or Deny Query String Dialog Boxes
Use either the Allow Query String or Deny Query String dialog box to add a query string to the list of query strings for which the request-filtering module will either always allow or deny access.
Element Name |
Description |
---|---|
Query string |
Specifies the query string for which the request-filtering service either always allows or denies access. |