How to handle hidden folders on deployed website
-
04-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
Our security team at work did a security scan of our soon-to-be-deployed website and one of the items that was found was "Hidden Directory Detected". It shows up for 3 different folders, aspnet_client, scripts, and content.
The software recommends to throw a 404 instead of a 403, or to remove the folders completely. First, are the folders actually needed? How can I determine which folders in my visual studio project are actually needed in order for the site to actually run (without removing folders one-at-a-time and trying to access the site)?
What is the proper way to handle this/resolve the security scan alert? Do I need to add special routing rules in the routeconfig.cs for when these paths are accessed?
Edit, I should note that this is WebApi/REST service, not a regular MVC site. (Therefore, using the CustomErrors configuration section will not work)
المحلول
After much googling, here's the solution that I have implemented. I'm not sure if it's the best practice for this sort of thing, but it's working in my scenario.
Scroll down to the answer about implementing the NoAccessHandler : IHttpHandler
http://forums.asp.net/t/1478217.aspx?Make+IIS+return+a+404+status+code+instead+of+403
Config section needed:
<httpHandlers>
<add verb="*" path="docs/*" validate="false" type="MyNameSpace.NoAccessHandler"/>
</httpHandlers>
<system.webServer>
<handlers>
<add name="NoAccess" verb="*" path="docs/*" preCondition="integratedMode" type="MyNameSpace.NoAccessHandler"/>
</handlers>
</system.webServer>
And the Handler code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
namespace MyNameSpace
{
public class NoAccessHandler: IHttpHandler
{
#region IHttpHandler Members
public bool IsReusable
{
get { return true; }
}
public void ProcessRequest(HttpContext context)
{
context.Response.StatusCode = 404;
}
#endregion
}
}
