web config - Disable HTTP OPTIONS, TRACE, HEAD, COPY and UNLOCK methods in IIS

Question

For security reasons I want to disable those methods through application level so I have this web.config file:

<configuration>
    <location path="index.php">
    <system.webServer>
                <directoryBrowse enabled="false" />
    </system.webServer>

    <system.web>
        <authorization>
            <deny verbs="OPTIONS" users="*" />
            <deny verbs="TRACE" users="*" />
            <deny verbs="HEAD" users="*" />
            <deny verbs="PROPFIND" users="*" />
            <deny verbs="COPY" users="*" />
            <deny verbs="LOCK" users="*" />
            <deny verbs="UNLOCK" users="*" />
            <deny verbs="PROPPATCH" users="*" />
            <deny verbs="MKCOL" users="*" />
            <deny verbs="MOVE" users="*" />
            <deny verbs="DELETE" users="*" />
        </authorization>
    </system.web>

  </location>
</configuration>

But this didn't work - any ideas?

Answer 1

Finaly I found another answer for this problem. and this is working for me. Just add below datas to the your webconfig file.

<configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <verbs allowUnlisted="true">
     <add verb="OPTIONS" allowed="false" />
    </verbs>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>

Form more information, you can visit this web site: http://www.iis.net/learn/manage/configuring-security/use-request-filtering

if you want to test your web site, is it working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/