IIS:如何禁用 HTTP 方法跟踪

<security>
   <requestFiltering>
       <verbs applyToWebDAV="false">
          <add verb="TRACE" allowed="false" />
       </verbs>
   </requestFiltering>
</security>

<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />

<add name="StaticFile" path="*" verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />

$ curl -I -X OPTIONS https://example.com/mysite
HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Public: OPTIONS, TRACE, GET, HEAD, POST
X-XSS-Protection: 1; mode=block
Date: Thu, 07 Feb 2019 21:03:49 GMT
Content-Length: 0

要真正阻止TRACE请求，您仍应保留阻止TRACE动词的请求过滤规则。

curl 命令向 IIS 发送 OPTIONS 请求，ProtocolSupportModule生成响应消息，

https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview

但是，Microsoft没有在system.webServer/httpProtocol部分中设计任何设置来更改标题的值，以便从那里隐藏TRACE。

但解决方法是使用 URL 重写模块，

https://blogs.msdn.microsoft.com/benjaminperkins/2012/11/02/change-or-modify-a-response-header-value-using-url-rewrite/

为Allow和Public标头创建两个出站规则，

<rewrite>
    <outboundRules>
        <rule name="ChangeHeaders" stopProcessing="false">
            <match serverVariable="RESPONSE_Allow" pattern="OPTIONS, TRACE, GET, HEAD, POST" />
            <action type="Rewrite" value="OPTIONS, GET, HEAD, POST" />
        </rule>
        <rule name="Public">
            <match serverVariable="RESPONSE_Public" pattern="OPTIONS, TRACE, GET, HEAD, POST" />
            <action type="Rewrite" value="OPTIONS, GET, HEAD, POST" />
        </rule>
    </outboundRules>
</rewrite>

在我的情况下有效：

 <requestFiltering>
      <verbs allowUnlisted="false">
        <clear/>
        <add verb="GET" allowed="true" />
        <add verb="HEAD" allowed="true" />
        <add verb="POST" allowed="true" />
      </verbs>
    </requestFiltering>

请注意，我不允许使用选项。当我不允许选项时，也不允许跟踪。