IISFrontGuard is an IIS HTTP Module providing comprehensive web application security including WAF functionality, rate limiting, geographic IP filtering, security event logging, automatic security header management, and webhook notifications for ASP.NET applications running on .NET Framework 4.8. Automatically removes server identification headers (X-Powered-By, Server) and adds essential security headers (CSP, HSTS, X-Frame-Options, etc.).
IISFrontGuard is a Web Application Firewall (WAF) module for Internet Information Services (IIS) built on .NET Framework 4.8. It provides advanced security features including request filtering, rate limiting, managed/interactive challenges, and comprehensive logging with webhook notifications.
Install-Package IISFrontGuard.Moduledotnet add package IISFrontGuard.ModulePM> Install-Package IISFrontGuard.ModuleNote: The package will automatically update your Web.config with required settings and open a getting started guide.
Execute the included SQL script to create the required database tables:
-- Located in: Content\Scripts\init.sqlThe package automatically configures your Web.config during installation with the following default settings. Please review and update as needed:
<configuration>
<connectionStrings>
<add name="IISFrontGuard"
connectionString="Data Source=.;Initial Catalog=IISFrontGuard;Integrated Security=True;TrustServerCertificate=True;" />
</connectionStrings>
<appSettings>
<!-- Database Configuration -->
<add key="IISFrontGuard.DefaultConnectionStringName" value="IISFrontGuard" />
<add key="IISFrontGuardEncryptionKey" value="YOUR-16-CHAR-KEY" />
<!-- Rate Limiting Configuration -->
<add key="IISFrontGuard.RateLimitMaxRequestsPerMinute" value="150" />
<add key="IISFrontGuard.RateLimitWindowSeconds" value="60" />
<!-- Trusted Proxy IPs (for X-Forwarded-For header validation) -->
<add key="TrustedProxyIPs" value="" />
<!-- Webhook Configuration (Optional) -->
<add key="IISFrontGuard.Webhook.Enabled" value="false" />
<add key="IISFrontGuard.Webhook.Url" value="" />
<add key="IISFrontGuard.Webhook.AuthHeader" value="" />
<add key="IISFrontGuard.Webhook.CustomHeaders" value="" />
<add key="IISFrontGuard.Webhook.FailureLogPath" value="C:\Logs\webhook-failures.log" />
</appSettings>
<system.webServer>
<modules>
<add name="FrontGuardModule"
type="IISFrontGuard.Module.FrontGuardModule, IISFrontGuard.Module"
preCondition="managedHandler,runtimeVersionv4.0" />
</modules>
<!-- Remove unnecessary server headers for enhanced security -->
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
<system.web>
<!-- Remove ASP.NET version header -->
<httpRuntime enableVersionHeader="false" />
</system.web>
</configuration>The package includes a GeoLite2-Country database. To keep it updated:
UpdateGeoDb.bat script with your license keyConfigure WAF rules for localhost:
-- Create an AppEntity for localhost testing
INSERT [dbo].[AppEntity] ([Id], [AppName], [AppDescription], [Host], [CreationDate], [TokenExpirationDurationHr]) VALUES (NEWID(), N'Localhost App', N'Test application for localhost', N'localhost', GETDATE(), 12)
GO
-- Retrieve the Id of the newly created AppEntity
DECLARE @LocalAppId UNIQUEIDENTIFIER
SELECT TOP 1 @LocalAppId = [Id] FROM [dbo].[AppEntity] WHERE [Host] = N'localhost'
-- Insert a rule for Interactive Challenge as an example on localhost using the newly created AppEntity
INSERT [dbo].[WafRuleEntity] ([Nombre], [ActionId], [AppId], [Prioridad], [Habilitado], [CreationDate])
VALUES (N'Interactive Challenge', 4, @LocalAppId, 0, 1, GETDATE())Add custom WAF rules to the database:
INSERT INTO WafRules (Name, Priority, IsEnabled, Action, Conditions)
VALUES ('Block SQL Injection', 100, 1, 'Block',
'[{"Field":"QueryString","Operator":"Contains","Value":"UNION SELECT"}]');Configure rate limits in Web.config:
<add key="RateLimitMaxRequestsPerMinute" value="150" />
<add key="RateLimitWindowSeconds" value="60" />Configure country blocking/allowing via database WAF rules:
INSERT INTO WafRules (Name, Priority, IsEnabled, Action, Conditions)
VALUES ('Block Specific Countries', 50, 1, 'Block',
'[{"Field":"Country","Operator":"Equals","Value":"CN,RU,KP"}]');To remove IISFrontGuard from your application:
Uninstall-Package IISFrontGuard.ModuleThe uninstall process will automatically:
Manual cleanup required:
For complete uninstallation instructions, see UNINSTALL_GUIDE.md included in the package.
For issues, questions, or contributions, please visit:
This project is licensed under the MIT License.
IISFrontGuard Team