My .NET 4.0 webapp is running on Windows Server 2008 on IIS 7.5 using an Integrated pipeline.
I want to only enable the "big four" HTTP verbs. According to the documentation, this should do the trick:
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="false" applyToWebDAV="true">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
<add verb="PUT" allowed="true" />
<add verb="DELETE" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
But, as you might have already guessed, it does not. Doing an OPTION request still results in "HTTP 200 OK", as do LOCK, PROPFIND and some others. All of this with WebDAV not being installed.
Removing the <add verb="GET" ... line results in IIS correctly responding with a HTTP 404.6 (Verb Denied) error.
Am I missing something obvious here?
Best Answer
Aaand I was woefully wrong. IIS was indeed responding with 404, but an
<httpErrors>section kicked in and served up my "404.html" page with HTTP 200 status.