What is the easiest way to completely prevent the http access to a subdirectory of the application?

StackOverflow https://stackoverflow.com/questions/22534181

Question

My ASP.Net application contains a subdirectory foo which should not be accessed using http. I thought the easiest solution was to place the web.config below in the subdirectory foo.

<configuration>
    <system.web>
        <httpRuntime enable="false"/>
    </system.web>
</configuration>

But it does not work. For example, http://myapp/foo/test.html is not rejected by the server.

Was it helpful?

Solution

You can try to add this within your web.config :

<configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <hiddenSegments>
     <add segment="directoryYouWantToProtect"/>
    </hiddenSegments>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>

I tested it and it seems to work fine, when I try to list the directory or access a file directly I have a 404.8 HTTP Error (The request filtering module is configured to deny a path in the URL that contains a hiddenSegment section)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top