| Section | Key | Values | Description |
| [Globals] | VerbAllow | 0 1 (default) |
If 0, then [VerbDeny] section is used to list the Http Verbs that are not accepted; If 1, then [VerbAllow] section is used to list the accepted Http Verbs sent in the request; |
| ValidHttpVersion | 0 1 (default) |
If 0, then no validation occurs; If 1, then [ValidHttpVersion] section is used to list the accepted Http Version values; |
|
| ValidHostPort | 0 1 (default) |
If 0, then no validation occurs; If 1, then the Hostname and Port number sent in the Uri schema and the request "Host" header value must match the list of Hostname and Port number listed in the [ValidHostPort] section; |
|
| ExtensionAllow | 0 1 (default) |
If 0, then [ExtensionDeny] section is used to list the extensions (if any) that are not accepted; If 1, then [ExtensionAllow] section is used to list the accepted extensions (if any) sent in the request; |
|
| DenyHeaderName | 0 1 (default) |
If 0, then no validation occurs; If 1, then [DenyHeaderName] section is used to list the header names that are not accepted in an Http Request; |
|
| ValidMaxLenByHeader | 0 1 (default) |
If 0, then no validation occurs; If 1, then [ValidMaxLenByHeader] section is used limit the accepted maximum sizes (in bytes) of the Request Header Values by the respective Request Header Names; |
|
| DenyUrlSequence | 0 1 (default) |
If 0, then no validation occurs; If 1, then [DenyUrlSequence] section is used to list the character sequences that are not accepted in an Http Url (not including the Query String); |
|
| DenyQuerySequence | 0 1 (default) |
If 0, then no validation occurs; If 1, then [DenyQuerySequence] section is used to list the character sequences that are not accepted in the Query String; |
|
| AllowDotInUrl | 0 (default) 1 |
If 0, then Urls (not including the Query String) containing a dot ('.') before the extension are rejected; NOTE: Files are allowed to have a dot before the extension, i.é, /path/my.file.htm is allowed. If 1, then no validation occurs; |
|
| AllowHighBitInUrl | 0 (default) 1 |
If 0, then Urls (not including the Query String) containing high bit characters (> 0x7F) are rejected; If 1, then no validation occurs; |
|
| CanonUrlBeforeScan | 0 1 (default) |
If 0, no canonicalization (normalization) occurs; If 1, the Url (not including the Query String) is canonicalized before scanning; |
|
| FailOnReCanonUrlChange | 0 1 (default) |
If 0, no more canonicalization (normalization) occurs; If 1, the Url (not including the Query String) is canonicalized a 2nd time and the Request is rejected if any change in the Url is detected; |
|
| AllowHighBitInQuery | 0 (default) 1 |
If 0, then Query Strings containing high bit characters (> 0x7F) are rejected; If 1, then no validation occurs; |
|
| CanonQueryBeforeScan | 0 1 (default) |
If 0, no canonicalization (normalization) occurs; If 1, the Query String is canonicalized before scanning; |
|
| FailOnReCanonQueryChange | 0 1 (default) |
If 0, no more canonicalization (normalization) occurs; If 1, the Query String is canonicalized a 2nd time and the Request is rejected if any change in the Query String is detected; |
|
| CanonHeaderName | 0 (default) 1 |
If 0, no canonicalization (normalization) occurs; If 1, the Header Name is canonicalized after scanning (post-scanning involves RFC complaince); |
|
| FailOnReCanonHeaderNameChange | 0 (default) 1 |
If 0, no more canonicalization (normalization) occurs; If 1, the HeaderName is canonicalized a 2nd time and the Request is rejected if any change in the HeaderName is detected; |
|
| CanonHeaderValue | 0 (default) 1 |
If 0, no canonicalization (normalization) occurs; If 1, the Header Value is canonicalized after scanning (post-scanning involves RFC complaince); |
|
| FailOnReCanonHeaderValueChange | 0 (default) 1 |
If 0, no more canonicalization (normalization) occurs; If 1, the HeaderValue is canonicalized a 2nd time and the Request is rejected if any change in the HeaderValue is detected; |
|
| AllowHighBitInPayload | 0 (default) 1 |
If 0, the Request is rejected if the payload contains any High bit characters; If 1, no validation occurs; |
|
| UrlMaxLen | >= 0 | If specified, the Url (not including the Query String) size (in bytes) is limited to the specified value; | |
| QueryMaxLen | >= 0 | If specified, the Query String size (in bytes) is limited to the specified value; | |
| HeaderNameMaxLen | >= 0 | If specified, the Request Header Names size (in bytes) is limited to the specified value; | |
| HeaderValueMaxLen | >= 0 | If specified, the Request Header Values size (in bytes) is limited to the specified value; | |
| PayloadMaxLen | >= 0 | If specified, the Request Payload size (in bytes) is limited to the specified value; | |
| ContentLengthMaxValue | >= 0 | If specified, and if the Request contains the Request "Content-Length" Header name, then its numeric value is limited to the specified value; | |
| RemoveBanner | 0 (default) 1 |
If 0, then the Response "Server" Header is not removed; If 1, then the Response "Server" Header will not be sent in any response; |
|
| ChangeBanner | Any string up to 255 characters | If specified, then the Response "Server" Header is modified to match the given string; | |
| LogFilesDir | Any string up to 255 characters (defaults to current directory) | If specified, indicates the location where to store the log files of the ISAPI Filter; | |
| HighPriority | 0 1 (default) |
If 0, then the ISAPI Filter loads with Low Priority; If 1, then the ISAPI Filter loads with High Priority; |
|
| Simulate | 0 (default) 1 |
If 0, then configured and reject behavior is enabled; If 1, then all configured behavior is enabled but requests are NOT rejected; |
|
| [VerbAllow] [VerbDeny] |
- | Http Verbs | Lists all Http Verbs that are allowed ([VerbAllow]) or all Http Verbs that will be denied ([VerbDeny]). Any Http Request that does not contain one of the listed Http Verbs ([VerbAllow]) or that does contain any of the listed Http Verbs ([VerbDeny]) will be rejected. NOTE: Comparison is case-sensitive. |
| [ValidHttpVersion] | - | Http Versions | Lists all Http Versions that the Http Request must contain in order to be accepted. Otherwise the Http Request is rejected. NOTE: Comparison is case-sensitive. |
| [ExtensionAllow] [ExtensionDeny] |
- | File Extensions | Lists all extensions that are allowed ([ExtensionAllow]) or all extensions that will be denied ([ExtensionDeny]). Any Http Request that does not contain one of the listed extensions ([ExtensionAllow]) or that does contain any of the listed extensions ([ExtensionDeny]) will be rejected. NOTE: Comparison is case-insensitive. |
| [ValidHostPort] | - | Host:Port | Lists all Hostnames that the Http Request Schema or/and "Host" Header must contain in order to be accepted. Otherwise the Http Request is rejected. NOTE: Comparison is case-insensitive. |
| [DenyHeaderName] | - | Http Header Names | Lists all Http Header Names that the Http Request must NOT contain. Otherwise the Http Request is rejected. NOTE: Comparison is case-insensitive. |
| [ValidMaxLenByHeader] | - | Http Header Names with Maximum Size Allowed | Lists all Http Header Names for which there is a maximum limit (in bytes) of the respective Http Request Header Value. Any Http Request exceeding the limit specified is rejected. NOTE: Comparison is case-insensitive. |
| [DenyUrlSequence] | - | Character Sequences | Lists all character sequences that are not allowed in an Http Request Url. Any Http Request Url containing a specified sequence is rejected. NOTE: Query String is not scanned. Comparison is case-insensitive. |
| [DenyQuerySequence] | - | Character Sequences | Lists all character sequences that are not allowed in an Http Request Query String. Any Http Request Query String containing a specified sequence is rejected. NOTE: Comparison is case-insensitive. |
[VerbAllow], [VerbDeny] Example
[VerbAllow] GET POST HEAD [VerbDeny] PROPFIND PROPPATCH MKCOL DELETE PUT COPY MOVE LOCK UNLOCK OPTIONS SEARCH
[ValidHttpVersion] Example
[ValidHttpVersion] HTTP/0.9 HTTP/1.0 HTTP/1.1
[ExtensionAllow], [ExtensionDeny] Example
[ExtensionAllow] .htm .html .txt .jpg .jpeg .gif [ExtensionDeny] .asp .cer .cdx .asa .exe .bat .cmd .com .htw .ida .idq .htr .idc .shtm .shtml .stm .printer .ini .log .pol .dat .inc
[ValidHostPort] Example
[ValidHostPort] www.mysite.com 10.10.10.10 www.mysite.com:80 10.10.10.10:80
[DenyHeaderName] Example
[DenyHeaderName] Translate If Lock-Token Transfer-Encoding
[ValidMaxLenByHeader] Example
[ValidMaxLenByHeader] Content-Length=10 Referer=250
[DenyUrlSequence] Example
[DenyUrlSequence] .. ./ \ : % &
[DenyQuerySequence] Example
[DenyQuerySequence] .. ./ \ :