blocking HEAD requests to my site

Question

I am looking at my asp.net mvc site and considering blocking the HEAD verb in IIS from accessing the site.

I don't see why such requests are needed or being used at present.

Why would HEAD requests be required on a site?

Answer 1

The comment posted above is correct. As far as I know, HEAD request are made by the browser for checking things like...do I need to download this again, is the page still there, etc. Basically, if the browser wants to know about a page without downloading the entire page, it will issue a HEAD request. So, in short, they are not a harmful thing to be happening.

However, if you want to block these, you can do so in your web.config by using the following syntax (taken from MSDN/IIS)

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <verbs applyToWebDAV="false">
               <add verb="HEAD" allowed="false" />
            </verbs>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

However, I think this is an atypical setup and you may want to test your site for performance /breaks across multiple browsers before turning this on for a production facing site.

Answer 2

There are malicious scanners that will issue a large volume of HEAD requests in an attempt to find known vulnerable resources, such as file upload components that may allow them to upload malicious files. They use a HEAD request as it is faster than a GET request because it has no response body, just headers.

Not only is their intent malicious, but by requesting large numbers of non-existent resources they can put load on your server.

On the flip side, Google also use the HEAD request to save time and bandwidth when deciding whether to re-fetch a page (i.e. has it changed since I last crawled).

Ideally, you would find a way to block the malicious requests and allow the legitimate ones from Google / Web Browsers.