This site is hosted on a latest IIS Server.

There are 4 tools that I have here for the level of Evaluation of incoming traffic:

1. web.config.
2. URL Rewrite 2 for IIS - rules of engagement(or NOT).
3. .htaccess.
4. Back End Programming (my choice is ColdFusion and Java) for getting info about CGI, RDNS and Headers for request, coupled with more than a decade old DB of IP ranges belonging to hosting companies & Country IP Ranges from.

Each one of these levels gives me laser sharp control & flexibility to decide where each of the requests ended up or not end up all together.

I am a big believer in <ipSecurity allowUnlisted="true" denyAction="AbortRequest"> base order(web.config >> security >> <ipSecurity>) & <action type="AbortRequest" /> (rewriterules.config). The latter gives me more control so I could direct request as well.

These are the first 2 levels where I could AbortRequest, so junk data is not recorded in IIS Log file, and less clutter that is passed down to .htaccess and application itself for further request interrogation.

It saves me TONS of time, and I mean it. When trying to trouble shoot code that I am usually working on for sure. Nobody wants to dig thru 450+ requests that are made in less that 10 seconds to .env, .git, and wp-*.php or a folder that some s*muck called "admin" or file named "config" (and then got hacked) in it when deep trouble shooting a production issue on API calls.

Level 1. web.config
<system.webServer>
<security>
 <ipSecurity allowUnlisted="true" denyAction="AbortRequest">
 <!-- START Digital Ocean -->
 <add ipAddress="139.59.0.0" subnetMask="255.255.0.0"/> <!-- 139.59.0.0/16 -->
 <add ipAddress="143.198.0.0" subnetMask="255.255.0.0"/> <!-- 143.198.0.0/16 -->
 <!-- END Digital Ocean -->
.....

So Level 1 does not care if you are asking for robots.txt or humans.txt, or ads.txt, or Dod Gamn favicon from a wrong location(Darvin u, Darvin).

You get NARA, others tried and ignored the "Rule #1: Be Polite, if you are a new f/male Cat in town, don be spraying here on every corner with yo "I came with/from SEO Jungle Theory") and I am it, so checkout myBOT page wher I tell you that we collect data(ONe&ONE, really?) to ensure our hosting services function properly.

That is why IP Range on a permanent @*hit list. There are some prominent set of ranges to include Amazon, MSFT, Digital Ocean, OVH, GoDaddy, PONYNet, Frantek, M247, CONTABO, NTT America and many many MO.

NOTE. If you are on a Shared Host, <ipSecurity> functionality maybe not available to you. But no worries, somewhat the same could be done with rewrite rules and Regex using URL Rewrite 2 for IIS.

If one passed Level 1 - Robots .txt is free(remember Goog's mantra - foooooorrrstr-st-sh page is Free! << well there u have it & there u have it, but then...)

LEVEL 2 - URL Rewrite 2 for IIS - So much fun! Blocks, Rewrites, Redirects and Regex.

web.config:
 <system.webServer>
 <rewrite>
 <!-- Remember that one from above someone looking for .config files? well that is why this is "someRandomName" -->
 <rules configSource="someRandomNameRules.config"></rules>
 <rewriteMaps configSource="someRandomNameMaps.config"></rewriteMaps>
 </rewrite> ..............................

Rules and Rules based on Maps ON IIS are second inline(.htaccess & then @server-side mark-up language of you choice considerations a bit later(everybody goes nuts their own way, right, or left?), we will get to IT in Level 3).

So Rules(just rules >> <rules configSource="someRandomNameRules.config"></rules>)

<!-- First rile of someRandomNameRules is no one talks about someRandomNameRules, but more to come... -->

Don't comment on this just yet, I promise to spill the beans all the way to Step 5, that is not mentioned here just yet.

P.S. this will maybe a start with "At home with SCRAPERS"... IIS Style!

;)

2.1
Long time ago, somewhere in the woods of what now is Ukraine under Bombardment(I say as it is), UP my-level-one( -DADA) asked a question: why are yo not following rules of "Pionerov"? Easy to understand, Ha? My Cousin stepped into a pile of real bear(well pile, spiffy style with a bunch of leafs on top) poop.

So: <rules configSource="someRandomNameRules.config"></rules>

ORDER, Order! in A room.
By creating a new subdomain you get to see what/yo/there mama is after, sometimes NARA html, and thus a bit of respond records when A is avail to scrape.

your domain/assets request path levels via refs:
-----------Ref/My Domain----------------------
http://example.tld(it is 2023, i only have HTTPS/WWW site, with redirect on to HTTPS/WWW before I say Hi = eat that)
http://www.example.tld(Nooo, u were never there, were u?..., noooo)
https://www.example.tld(Hi There! Aolha!)
https://example.tld(it is 2023, i only have HTTPS site, and only WWW site, with redirect on to HTTPS before I say Hi, u never typed https://example.tld in a search window, did ya? = , keep em there..)
-------------------------------------------
in your logs, ah, and our lungs, ha!.. you get the poetry..! Cranberries!

Keep in-mind that this is ALL before it gets to .htaccess rules, let along code on the site.

Let me STOP u here for a SEcond, have you try replicate this, to do list, on none IIS config of yoru site just yet?

No need to just yet & wanting to comment. I know you want to...

Comments are welcome, just later, please.