Unable to send Webhook event when TRACE PUT and DELETE methods are being explicitly disallowed in application host config file

News Knowledge Base
1

Unable to send Webhook event when TRACE, PUT, and DELETE methods are being explicitly disallowed in application.host.config file.

Root Cause: In C:\Windows\System32\inetsrv\Config\applicationHost.config file block webhooks to receive events from Orchestrator.

The TRACE, PUT, and DELETE methods are being explicitly disallowed (allowed="false"), which is a common security practice to prevent certain types of attacks or unauthorized actions on the server.

Note below settings,

Configuring HTTP request verbs in an application's host configuration file. These settings control which HTTP methods are allowed or disallowed for incoming requests.

The TRACE, PUT, and DELETE methods are being explicitly disallowed (allowed="false"), which is a common security practice to prevent certain types of attacks or unauthorized actions on the server.

By disallowing these methods, enhance the security of the application by preventing potential vulnerabilities associated with them. For example:

  • TRACE: Disabling this prevents the server from echoing back the received request, which can be exploited in certain situations to gain information about the server's configuration or manipulate headers
  • PUT: This method is often disabled to prevent clients from directly uploading or modifying files on the server
  • DELETE: Disabling this method prevents clients from deleting resources on the server, which can be crucial for maintaining data integrity and preventing accidental or malicious deletion.

By configuring these settings in the application's host configuration file (application.host.config), ensure that only the necessary HTTP methods are allowed, reducing the attack surface and enhancing the overall security posture of the application.

Resolution:

ADD the in the web.config file of webhooks as per the below screenshot.

  • In a web.config file, is a directive used to clear any previously defined configuration settings within a specific section. It is commonly used to reset or remove any inherited or default settings before specifying custom configurations.

  • The directive ensures that any previously defined HTTP verb configurations within the section are removed before adding the new configurations. This helps avoid conflicts or unintended inheritance of settings from parent configurations.
  • After , define custom configurations for HTTP verbs (TRACE, PUT, DELETE) within the section, explicitly setting them to allowed (allowed="true"). This indicates that these HTTP methods should be allowed for incoming requests

Note: By carefully reviewing the security requirements and adjusting your configuration accordingly, ensure that the webhook functionality works correctly while maintaining the necessary security measures to protect the application.