Denying file extensions in IIS

Question

In IIS I noticed that I can deny access to any file extension on the server. For example, I an deny access to .jpg images. But then the browser won't b e able to display .jpg images on my site.

I was wondering, does IIS allow us to deny access to file extensions - or filenames- that are being accessed directly (by typing the full url into the address bar), while still serving them to the browser if being requested by the document?

Answer 1

You can't really prevent doing this; a determined person can download anything that a webpage can download. However, you can make it slightly more difficult for the less technically literate by checking the HTTP referrer in the request. If it's the URL of one of your webpages, you can allow the request. Otherwise, you can deny it. This technique is used to prevent deep linking quite often.

Here's a sample (untested) of how you can do this with a .NET HTTP module:

public class ImageDenyingModule : IHttpModule
{
    public void Init(HttpApplication app)
    {
        app.BeginRequest += (s, e) => {
            var request = app.Context.Request;
            if (RequiresPageReferrer(request.Url) && !IsValidReferer(request.UrlReferrer)) {
                app.Context.Response.StatusCode = 404;
                app.Context.Response.End(); // Or something...
            }
        };
    }

    private bool RequiresPageReferrer(string url) {
    }

    private bool IsValidReferrer(string referrer) {
    }
}

Answer 2

You can do this with a custom http handler.

http://support.microsoft.com/kb/308001

If you create a custom handler for jpg files then you can check the referer of the request and serve the image or cancel the request.