How to deny HTTP methods (or verbs) in Azure Web Apps

If you want to deny HTTP methods or verbs in Azure Web Apps you can do this be changing your web.config file.

Add the following or create the following sections if they do not exist in your <configuration> section of your Azure Web App, web.config file:

<system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <modules runAllManagedModulesForAllRequests="true" />
    <handlers>
        <add name="DenyOTH" verb="OPTIONS,TRACE,HEAD" path="*" type="System.Web.HttpMethodNotAllowedHandler" />
</handlers>
</system.webServer>

 

Once you add this, the response to any HTTP Verb in the verb list (in this case "OPTIONS,TRACE,HEAD") will result in a response: 405 Method Not Allowed.

 

Let me know if this helped you out!

Also, see this blog post for removing headers: Remove ‘Server’ and ‘X-Powered-By’ headers from your Azure Mobile Apps