Blog Post

IIS Support Blog
2 MIN READ

Identifying and Blocking Python-httpx Requests

Goyal_Sandeep's avatar
Goyal_Sandeep
Icon for Microsoft rankMicrosoft
Sep 02, 2025

Introduction

In today’s API-driven world, automated scripts—especially those using Python libraries like httpx—can pose a risk if left unchecked. While many of these scripts are legitimate, some are used for scraping, brute-force attacks, or unauthorised data access. This blog explores how to detect and block such requests using IIS features like the URL Rewrite Module and Request Filtering.

 

Identifying Python-httpx Requests

The first step is detection. We identified Python scripts accessing APIs by analysing IIS logs, particularly the User-Agent field. Suspicious entries like "Python httpx" indicated automated access attempts.

 

Blocking with URL Rewrite Module

The URL Rewrite Module in IIS allows you to create inbound rules based on request headers. Here's how to block requests from httpx:

  1. Open IIS Manager and navigate to your site.
  2. Open the URL Rewrite module.
  3. Add a new Inbound Rule.
  4. Set the condition:
    • Input: {HTTP_USER_AGENT}
    • Check if it Matches the Pattern: .*httpx.*
  5. Set the action to Abort Request or return a custom status code like 404.

This method is flexible—you can customise the response code or redirect the request.

Blocking with Request Filtering

As an alternative, Request Filtering offers a simpler but less flexible approach:

  1. Open Request Filtering in IIS.
  2. Go to the HTTP Verbs or Headers tab.
  3. Add a rule to deny requests where the User-Agent contains httpx.

When tested, this method returned a 400 status code, effectively blocking the script.

 

Testing the Block

Here’s a simple Python script using httpx to test your rules:

Testing Script

  • Create a new Python file and give it any name (for example, TestPython.py).
  • Copy and paste the following content into that file.

import httpx

response = httpx.get('http://localhost/test.htm')

print(response.status_code)

 

Testing Method

  • Open the Command Prompt.
  • Navigate to the directory where the test Python script is located.
  • Run the following command:
    • python TestPython.py

 

  • When accessed ('http://localhost/test.htm') via a browser: 200 OK
  • When accessed via script: 403, 404, or 400 depending on your configuration

 

Choosing Between Methods

Feature

URL Rewrite Module

Request Filtering

Custom Status Codes

✅ Yes

❌ No

 

Conclusion

Blocking automated httpx requests is essential for protecting your APIs from misuse. IIS provides robust tools to help you do this effectively. Whether you prefer the flexibility of URL Rewrite or the simplicity of Request Filtering, both methods can be tailored to your security needs.

 

Published Sep 02, 2025
Version 1.0
No CommentsBe the first to comment