I wanted to add some IIS requestFiltering rules to my web application. I followed folling guides:
http://www.iis.net/configreference/system.webserver/security/requestfiltering/alwaysallowedurls http://www.iis.net/configreference/system.webserver/security/requestfiltering/denyurlsequences
For example, I want to deny Url test but enable testallowed
So I made following configuration in my web.config:
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="test" />
</denyUrlSequences>
<alwaysAllowedUrls>
<add url="testallowed" />
</alwaysAllowedUrls>
</requestFiltering>
</security>
</system.webServer>
Wenn calling mypage/test, I get the IIS HTTP Error 404.5 Page, which is correct. But I get the same page when calling mypage/testallowed. And in my web.config, the Tag alwaysAllowedUrls is underlined and it says:
The element 'requestFiltering' has invalid child element 'alwaysAllowedUrls'. List of possible elements expected: 'fileExtensions, requestLimits, verbs, hiddenSegments, denyUrlSequences'.