Hi!
I am trying to lock down a web site to only respond to requests from the same local machine.
I have included the follwoing in the site root web.config
<system.webServer><security><ipSecurity allowUnlisted="false"><add ipAddress="127.0.0.1" allowed="true" /></ipSecurity></security></system.webServer>
This seems to work fine - I can access the site at http://localhost.
If I change the configured IP address to, for example, 191.236.106.123, I get an HTTP Error 403.503 - Forbidden result. Great!
However, if I change the IP address to a different 127.* addres, such as 127.0.0.20 or 127.255.0.1, the request is accepted. For me this is unexpected behaviour. Is it a bug or a feature?
Additional info:
I am using IIS 10.0 on Windows 10 Enterprise
-S