How to set up request filtering for Safewhere Identify

This document outlines all the steps to set up Request Filter for Safewhere Identify manually. We will add tooling support in a future version.

Introduction

Identify has so many endpoints, and each of them can receive a different type of data. Protecting data size for every of them demands tremendous efforts. One quick solution is to let IIS/Asp.Net's Request Filtering <requestFiltering> | Microsoft Docs do the job. We offer five options to make your Identify installation more secure:

  • <denyUrlSequences> - This element can contain a collection of URL sequence patterns that IIS 7 will deny; for example: you can deny parts of URL sequences that an attacker might try to exploit.
  • <fileExtensions> - This element can contain a collection of file name extensions that IIS 7 will either deny or allow; for example: you can block all requests for Web.config files.
  • <hiddenSegments> - This element can contain a collection of URLs that cannot be browsed; for example: you can deny requests for the ASP.NET App_Code folder.
  • <requestLimits> - This element contains the settings for URL, content, and query string lengths. It can also contain a collection of user-defined maximum lengths for HTTP headers.
  • <verbs> - This element can contain a collection of HTTP verbs that IIS 7 will either deny or allow; for example: you can block all HTTP TRACE requests.

Using request filtering to protect Identify

Allowing the submitting of large data can lead to many security issues, especially DDoS. Limiting requests' sizes is a good first line of defense. Because Identify does not have functionalities that need posting of large data, such as file uploads, the limit can be well below of 1 MB (the default value is about 28.6 MB).

According to Request Filtering <requestFiltering> | Microsoft Docs, there are 3 options to set the Maximum allowed content length value to a lower number:

  • Set for the whole web server
  • Set for a single Identify tenant
  • Set for a single sub application (Admin/runtime/service).

Notes, the latter two will add relevant settings to the web.config file, which will be removed after a tenant upgrade. Our future tooling support will make sure that changes persist across tenant upgrades.

How to set the Maximum allowed content length value to a lower number

  1. Open Internet Information Services (IIS) Manager:
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.
    request-filtering-1
  4. Click Edit Feature Settings... in the Actions pane.
    edit-feature-settings-action-1
  5. Specify your options, and then click OK.
    edit-feature-settings-1

For example, you could make the following changes:

  • Change the maximum allowed content length to 30000000 (Bytes)
  • Change the maximum URL length to 2KB by specifying 2048 (Bytes).
  • Change the maximum query string length to 1KB by specifying 1024 (Bytes).
  • Deny access to unlisted HTTP verbs by clearing the Allow unlisted verbs check box.

How to add limits for HTTP headers

  1. Open Internet Information Services (IIS) Manager:
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.request-filtering-2
  4. In the Request Filtering pane, click the Headers tab, and then click Add Header... in the Actions pane.
    add-header-action-2
  5. In the Add Header dialog box, enter the HTTP header and the maximum size that you want to use, and click OK.
    add-header-2

For example, the "Content-type" header contains the MIME type for a request. Specifying a value of 100 would limit the length of the "Content-type" header to 100 bytes.

Configuration Sample

The following example Web.config file will configure IIS to deny access for HTTP requests where the length of the "Content-type" header is greater than 100 bytes.