Pete Freitag Pete Freitag

Request Filtering in IIS

Updated on December 06, 2023
By Pete Freitag

I've been doing some security work in Windows recently for a client, one feature I've really come to like in IIS is Request Filtering. Request Filtering is a great tool for adding security rules, it was added in Windows 2008 / IIS 7.

You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.

Request filtering can be configured in IIS manager if you install extra addons, or you can configure it using the new web config files that IIS 7 introduced. I prefer using the web.config files coming from an Apache background.

The global configuration file is called applicationHost.config and it is located in C:\windows\system32\inetsrv\config\ by default, this is similar to the httpd.conf file for Apache.

Site specific configuration can either be added to the applicationHost.config or in a file called web.config located in the wwwroot of the website (similar to .htaccess files on Apache).

The <requestFiltering> tag is located under the following location in the XML config file: /configuration/system.webServer/security/. There are 5 child tags of the requestFiltering tag:

  • denyUrlSequences - Used to deny specific URI's
  • fileExtensions - Used to deny specific file extensions, or allow only a whitelist of file extensions.
  • hiddenSegments - Used to hide URI sequences
  • requestLimits - Used to limit the size of elements in the HTTP Request (query string, headers, url, content length, etc)
  • verbs - Deny HTTP verbs (such as POST, TRACE, PUT, DELETE, etc)

Example web.config file using Request Filtering

Here's a quick example of how you might use the request filtering features in a web.config file:

            <!-- block /CFIDE -->
               <add sequence="/CFIDE"/>
            <!-- block all file extensions except cfm,js,css,html -->
            <fileExtensions allowUnlisted="false" applyToWebDAV="true">
               <add fileExtension=".cfm" allowed="true" />
               <add fileExtension=".js" allowed="true" />
               <add fileExtension=".css" allowed="true" />
               <add fileExtension=".html" allowed="true" />
            <!-- hide configuration dir -->
            <hiddenSegments applyToWebDAV="true">
               <add segment="configuration" />
            <!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars -->
            <requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" />
            <!-- only allow GET,POST verbs -->
            <verbs allowUnlisted="false" applyToWebDAV="true">
               <add verb="GET" allowed="true" />
               <add verb="POST" allowed="true" />

The maxAllowedContentLength feature of Request Filtering is pretty handy, it specifies the maximum number of bytes that can be posted. This is effectivly the maximum file upload size that your server can handle, or if your are hosting an API the maximum size of the JSON / XML body payload.

As of IIS 10, Microsoft has added the ability to remove the Server header using request filtering. Using request filtering ends up being a much cleaner solution.

iis microsoft iis7 request filtering security config windows filtering

Request Filtering in IIS was first published on February 16, 2010.

If you like reading about iis, microsoft, iis7, request filtering, security, config, windows, or filtering then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).


Wow, that is really straight forward an easy to understand.

That is also a good example of whitelist and blacklist validation with great use of whitelist validation.

Thanks for sharing.
by Jason Dean on 02/16/2010 at 12:36:13 PM UTC
You're welcome Jason, yeah it is actually pretty simple!

Adding the .config files was a smart move for MS!
by Pete Freitag on 02/16/2010 at 3:41:13 PM UTC
Spent the last 2 hours trying to find this information. Thanks!!!
by Randy on 08/16/2010 at 1:46:49 PM UTC

Thanks for this article, I have a small confusion regarding adding URL sequences with MS-DOS device names?
Would you kindly help me and tell me how exactly do I need to do that?

by musa zargar on 05/24/2015 at 1:09:31 PM UTC
Hello Musa

Even I'm looking for ISAPI filter to block URLs with MsDos Device names. Did you find any solution?
by Divya on 06/19/2015 at 6:26:30 AM UTC