Creating an access block rule

The third rule that we will create is used to block all requests made to a Web site if those requests do not have the host header set.
This type of rule is useful when you want to prevent hacking attempts that are made by issuing HTTP requests against the IP address of
the server instead of using the host name.
Open the Web.config file
Locate the <rewrite> section. Insert the following rule into the <rules> collection, so that it is the first rule in the collection:

<rule name=”Fail bad requests”>
<match url=”.*”/>
<conditions>
<add input=”{HTTP_HOST}” pattern=”localhost” negate=”true” />
</conditions>
<action type=”AbortRequest” />
</rule>

Replace the localhost to your domain name (url of website) in add input section

This type of rule is useful when you want to prevent hacking attempts that are made by issuing HTTP requests against the IP address of
the server instead of using the host name.
Open the Web.config file
Locate the <rewrite> section. Insert the following rule into the <rules> collection, so that it is the first rule in the collection:

For example:

<rule name=”Fail bad requests”>
<match url=”.*” />
<conditions>
<add input=”{HTTP_HOST}” pattern=”^abc\.xyz\.co\.in$” negate=”true” />
</conditions>
<action type=”AbortRequest” />
</rule>

Note:
Please take backup of Data and web.config file before implementing below rules.
Replace abc\.xyz\.co\.in from your domain url.

Explanation:
{HTTP_HOST} only contains the hostname like: awards.steel.gov.in
pattern=”^abc\.xyz\.co\.in$” ensures an exact match (with escaped dots, because dot means “any character” in regex).
negate=”true”: Blocks any request not matching this hostname.
This effectively blocks public access from anything except abc.xyz.gov.in.

Apply below when not working from wen.config file.

Configure this directly from the IIS URL Rewrite tool (GUI) — you don’t have to manually edit the web.config file.
Here’s how to block access via public IP and only allow your domain (e.g., abc.xyz.co.in) using the IIS Manager GUI:

✅ Steps to Set It Up in IIS:
Open IIS Manager
Select your website in the left-hand tree view (e.g., Default Web Site or your specific site).
In the Features View, double-click “URL Rewrite“.
On the right-hand side, click “Add Rules…”
In the “Add Rules” dialog:
Under Inbound Rules, select “Blank rule”
Click OK
🔧 Configure the Rule:
Name: Block all except domain
Match URL
Requested URL: Matches the Pattern
Using: Regular Expressions
Pattern: .*
Conditions (click “Add”)
Condition Input: {HTTP_HOST}
Check if input string: Does Not Match the Pattern
Pattern: ^(www\.)?abc\.xyz\.co\.in$
➡️ Click OK to save the condition
Action
Action Type: Abort Request
You can also choose “Custom Response” if you want a custom message (e.g., 403).
✅ Final Touches
Make sure the rule is at the top of the list
Check “Stop processing” is enabled if available
Apply the changes
🧪 Test It
Access using:
✅ http://abc.xyz.co.in → should work
❌ http://[your IP] or http://localhost → should fail

===================================================================================