MicrosoftDocs · StephenMolloy · May 13, 2025 · May 19, 2025 · May 19, 2025
@@ -2,7 +2,7 @@
 title: "Adding Handlers &lt;add&gt;"
 author: rick-anderson
 description: "Overview The &lt;add&gt; element of the &lt;handlers&gt; collection adds a handler to the list of HTTP handlers for Internet Information Services (IIS) 7. Co..."
-ms.date: 09/26/2016
+ms.date: 05/19/2025
 ms.assetid: 07a497b0-1558-4731-b5db-b9a2a80ea7d5
 msc.legacyurl: /configreference/system.webserver/handlers/add
 msc.type: config
@@ -107,7 +107,7 @@ The `<add>` element of the `<handlers>` collection is included in the default in
 | `name` | Required string attribute. <br><br>Specifies the unique name of the handler mapping. |
 | `path` | Required string attribute. <br><br>Specifies the file name or the file name extension for which the handler mapping applies. |
 | `preCondition` | Optional string attribute. <br><br>Specifies conditions under which the handler will run. <br><br>The **preCondition** attribute can be one or more of the following possible values. If you specify more than one value, separate the values with a comma (,). <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <th><code>bitness32</code></th> <td>Specify the <strong>bitness32</strong> value when the handler is a 32-bit .dll file, and IIS should load the handler only for worker processes that run in WOW64 mode (32-bit simulation) on a 64-bit operating system. </td></tr> <tr> <th><code>bitness64</code></th> <td>Specify the <strong>bitness64</strong> value when the handler is a 64-bit .dll file, and IIS should load the handler only for worker processes that run in 64-bit mode. </td></tr> <tr> <th><code>integratedMode</code></th> <td>Specify the <strong>integratedMode</strong> value when the handler should respond only to requests in application pools that are configured to use the integrated request-processing pipeline. </td></tr> <tr> <th><code>ISAPIMode</code></th> <td>Specify the <strong>ISAPIMode</strong> value when the handler should respond only to requests in application pools that are configured to use Classic mode. </td></tr> <tr> <th><code>runtimeVersionv1.1</code></th> <td>Specify the <strong>runtimeVersionv1.1</strong> value when the handler should respond only to requests in application pools that are configured to use .NET Framework version 1.1. </td></tr> <tr> <th><code>runtimeVersionv2.0</code></th> <td>Specify the <strong>runtimeVersionv2.0</strong> value when the handler should respond only to requests in application pools that are configured to use .NET Framework version 2.0. </td></tr></tbody></table> |
-| `requireAccess` | Optional enum attribute. <br><br>Specifies the type of access that a handler requires to the resource. <br><br>The **requireAccess** attribute can be one or more of the following possible values. If you specify more than one value, separate the values with a comma (,). The default value is `Script`. <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <td><strong>Execute</strong></td> <td>Specifies that the handler requires rights to run executables. <br><br>The numeric value is <code>4</code>. </td></tr> <tr> <td><strong>None</strong></td> <td>Specifies that the handler does not have access requirements. <br><br>The numeric value is <code>0</code>. </td></tr> <tr> <td><strong>Read</strong></td> <td>Specifies that the handler requires read permissions. <br><br>The numeric value is <code>1</code>. </td></tr> <tr> <td><strong>Script</strong></td> <td>Specifies that the handler requires rights to run scripts. <br><br>The numeric value is <code>3</code>. </td></tr> <tr> <td><strong>Write</strong></td> <td>Specifies that the handler requires write permissions. <br><br>The numeric value is <code>2</code>. </td></tr></tbody></table> |
+| `requireAccess` | Optional enum attribute. <br><br>Specifies the access level at which a handler will execute. <br><br>The **requireAccess** attribute can be one or more of the following possible values. If you specify more than one value, separate the values with a comma (,). The default value is `Script`. <br><br>**Note:** Even if a handler’s **requireAccess** value does not match the current `accessPolicy` level, it remains part of the configured set of handlers and may be initialized, although it will not be executed. <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <td><strong>Execute</strong></td> <td>Specifies that the handler requires rights to run executables. <br><br>The numeric value is <code>4</code>. </td></tr> <tr> <td><strong>None</strong></td> <td>Specifies that the handler does not have access requirements. <br><br>The numeric value is <code>0</code>. </td></tr> <tr> <td><strong>Read</strong></td> <td>Specifies that the handler requires read permissions. <br><br>The numeric value is <code>1</code>. </td></tr> <tr> <td><strong>Script</strong></td> <td>Specifies that the handler requires rights to run scripts. <br><br>The numeric value is <code>3</code>. </td></tr> <tr> <td><strong>Write</strong></td> <td>Specifies that the handler requires write permissions. <br><br>The numeric value is <code>2</code>. </td></tr></tbody></table> |
 | `resourceType` | Optional string attribute. <br><br>Specifies the type of resource to which the handler mapping applies. <br><br>The **resourceType** attribute can be one of the following possible values. The default value is `Unspecified`. <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <th><code>Directory</code></th> <td>Specifies that the handler mapping applies to requests only for physical folders on disk. <br><br>The numeric value is <code>1</code>. </td></tr> <tr> <th><code>Either</code></th> <td>Specifies that the handler mapping applies to requests for physical files or folders on disk. <br><br>The numeric value is <code>2</code>. </td></tr> <tr> <th><code>File</code></th> <td>Specifies that the handler mapping applies to requests only for physical files on disk. <br><br>The numeric value is <code>0</code>. </td></tr> <tr> <th><code>Unspecified</code></th> <td>Specifies that the mapping type is not specified. The handler mapping applies to requests regardless of whether the request maps to a physical file or folder on disk. Use this setting when you map a handler to a file name or file name extension that does not exist on disk, such as MyHandler.axd. <br><br>The numeric value is <code>3</code>. </td></tr></tbody></table> |
 | `responseBufferLimit` | Optional uint attribute. <br><br>Specifies the maximum size, in bytes, of the response buffer for a request handler. <br><br>The default value is `4194304` bytes. |
 | `scriptProcessor` | Optional string attribute. <br><br>Specifies the physical path of the ISAPI extension .dll file or Common Gateway Interface (CGI) .exe file that processes the request. <br><br>The scriptProcessor attribute is required only for script map handler mappings. When you map a handler to an ISAPI extension, you must specify ISAPIModule for the modules attribute. When you map a handler to a CGI file, you must specify CGIModule for the modules attribute. |

@@ -2,7 +2,7 @@
 title: "Handlers &lt;handlers&gt;"
 author: rick-anderson
 description: "Overview The &lt;handlers&gt; element defines the handlers registered for a specific file name extension or URL. Handlers are Internet Information Services (..."
-ms.date: 09/26/2016
+ms.date: 05/19/2026
 ms.assetid: df3cf46c-9d26-4e69-98e9-f2b4dcd2cbfc
 msc.legacyurl: /configreference/system.webserver/handlers
 msc.type: config
@@ -110,7 +110,10 @@ You configure the `<handlers>` element at the application level in the Web.confi
 
 | Attribute | Description |
 | --- | --- |
-| `accessPolicy` | Optional flags attribute.<br><br>Specifies the allowed access types for the entire handlers collection.<br><br>The **accessPolicy** attribute can be one of the following possible values. The default is `Read`. <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <th><code>Execute</code></th> <td>Enables handlers in the handlers collection that require execute rights in directories and files.</td></tr> <tr> <th><code>None</code></th> <td>Disables all handlers in the handlers collection that require access to directories or files.</td></tr> <tr> <th><code>NoRemoteExecute</code></th> <td>Prevents handlers in the handlers collection from running executables when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteRead</code></th> <td>Prevents handlers in the handlers collection from reading files when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteScript</code></th> <td>Prevents handlers in the handlers collection from running scripts when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteWrite</code></th> <td>Prevents handlers in the handlers collection from creating or changing files when a handler receives a remote request.</td></tr> <tr> <th><code>Read</code></th> <td>Enables handlers in the handlers collection that require read access to directories and files.</td></tr> <tr> <th><code>Script</code></th> <td>Enables handlers in the handlers collection that require script rights to directories or files.</td></tr> <tr> <th><code>Source</code></th> <td>Enables handlers in the handlers collection that require read access to source code (together with the <strong>Read</strong> flag) or write access to source code (together with the <strong>Write</strong> flag).</td></tr> <tr> <th><code>Write</code></th> <td>Enables handlers in the handlers collection that require write access to directories and files.</td></tr></tbody></table> |
+| `accessPolicy` | Optional flags attribute.<br><br>Specifies what level of access types for the entire handlers collection.<br><br>The **accessPolicy** attribute can be one of the following possible values. The default is `Read`. <table> <tbody> <tr> <th>Value</th> <th>Description</th></tr> <tr> <th><code>Execute</code></th> <td>Enables handlers in the handlers collection that require execute rights in directories and files.</td></tr> <tr> <th><code>None</code></th> <td>Disables all handlers in the handlers collection that require access to directories or files.</td></tr> <tr> <th><code>NoRemoteExecute</code></th> <td>Prevents handlers in the handlers collection from running executables when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteRead</code></th> <td>Prevents handlers in the handlers collection from reading files when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteScript</code></th> <td>Prevents handlers in the handlers collection from running scripts when a handler receives a remote request.</td></tr> <tr> <th><code>NoRemoteWrite</code></th> <td>Prevents handlers in the handlers collection from creating or changing files when a handler receives a remote request.</td></tr> <tr> <th><code>Read</code></th> <td>Enables handlers in the handlers collection that require read access to directories and files.</td></tr> <tr> <th><code>Script</code></th> <td>Enables handlers in the handlers collection that require script rights to directories or files.</td></tr> <tr> <th><code>Source</code></th> <td>Enables handlers in the handlers collection that require read access to source code (together with the <strong>Read</strong> flag) or write access to source code (together with the <strong>Write</strong> flag).</td></tr> <tr> <th><code>Write</code></th> <td>Enables handlers in the handlers collection that require write access to directories and files.</td></tr></tbody></table> |
+
+> [!NOTE]
+> The `accessPolicy` attribute is not an enforceable security policy but rather a filtering mechanism that determines which handlers execute based on their `requiredAccess` attribute when configured. A filtered handler is still part of the configuration and may be initialized, even though it will not be selected to execute based on this attribute.
 
 ### Child Elements