Security consideration for the Internet Information Services (IIS) web server
If you are using the IIS web server with WebSphere Commerce, you must be aware of the following security consideration and take the recommended action to minimize any security exposure of your WebSphere Commerce data.
For the IIS web server, read permission on a Virtual Directory provides access to the source code of JSP files. To prevent download of the JSP source code, you must physically separate the static content from the dynamic content of your web pages, if you are using the IIS web server. This configuration is necessary because IIS security is based on directory location, rather than file type. Under the default IIS configuration, the image files and JSP files are located under a single alias. Use the default configuration for testing purposes only.
By default, files in the META-INF and WEB-INF folders for each WAR can be served directly to a browser. It is the responsibility of IIS web server administrators to implement access control to prevent the serving of these files
To secure all web assets, the dynamic content must be accessed using a Virtual Directory with execute-only (not read) permissions. Move static content to a different Virtual Directory with read-only permission. For more information about setting permissions on a Virtual Directory, see the instructions in the IIS help information. Consult the current Microsoft documentation on security patches and configuration policies.
For security reasons, be sure to disable HTTP TRACE support in your web server. Use the URLScan tool to deny HTTP TRACE requests or to allow only the methods that are needed to meet site requirements and policy. For more information, see the Microsoft documentation about using URLScan on IIS.