Merge pull request #4161 from assertchris/improve-iis-security

Improve IIS security
2024-10-22 14:05:37 +02:00 · 2015-05-11 12:10:22 +12:00 · 2015-05-11 12:10:22 +12:00 · 11f13119c6
commit 11f13119c6
parent dca8e2ad52 8d51eea66f
1 changed files with 19 additions and 10 deletions
--- a/web.config
+++ b/web.config
@ -1,11 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <configuration>
-	<system.webServer>
-		<security>
-			<requestFiltering>
-				<hiddenSegments>
-					<add segment="silverstripe_version" />
-				</hiddenSegments>
-			</requestFiltering>
-		</security>
-	</system.webServer>
+   <system.webServer>
+       <rewrite>
+           <rules>
+               <rule name="Block Scripts" stopProcessing="true">
+                   <match url="([^\\/]+)\.(php|php3|php4|php5|phtml|inc)$" />
+                   <conditions trackAllCaptures="true">
+                       <add input="{REQUEST_FILENAME}" pattern="\b(main|rpc|tiny_mce_gzip)\.php$" negate="true" />
+                   </conditions>
+                   <action type="AbortRequest" />
+               </rule>
+               <rule name="Block Version" stopProcessing="true">
+                   <match url="\bsilverstripe_version$" />
+                   <action type="AbortRequest" />
+               </rule>
+           </rules>
+       </rewrite>
+   </system.webServer>
 </configuration>