TechQA.

How to disable direct access to web resources for ASP.NET MVC projectcs

260 views Asked by At

I have a web site that runs on ASP.NET MVC. I have of course disabled the directory browsing. I have also added conditions to my RouteConfig.cs file to accept only pages that I want to.

For example:

  • example.com/
  • example.com/account/login
  • example.com/account/register

I also tested that my configs are not accessible directly:

  • example.com/web.config ---> error 404

However, I still can directly access files under content folder and they are not even minified or anything:

  • example.com/Content/css/style.css -----> 200:Ok
  • example.com/Content/scripts/myscript.js ----> 200:ok

Now I see in some articles they recommend adding the following to the web.config file:

<authorization>
    <deny users="?" />
</authorization>

But then it blocks the whole site.

I am sure there should be an easy way to handle this. I use Visual Studio to publish it to a machine running IIS.

Does anyone have any ideas how this can be fixed? Thank you.

asp.net-mvc iis-7
Original Q&A
2

There are 2 answers

1
samwu On BEST ANSWER

You can also try to use url rewrite to block access:

enter image description here

0
Stackedup On

As per @samwu's response above, I constructed the below rules to block folders such as Content, Scripts and logs from direct access but still let the site be functional:

    <system.webServer>
        .......
        <rewrite>
        <rules>
            <!--Rules to block direct access to folders and their files. (e.g: https://mysite/Content/CSS/Common.css)-->
            <rule name="Block Content Folder" stopProcessing="true">
                <match url="^Content/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
            </rule>

            <rule name="Block Scripts Folder" stopProcessing="true">
                <match url="^Scripts/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
            </rule>

            <rule name="Block App_Data Folder" stopProcessing="true">
                <match url="^App_Data/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
            </rule>

            <rule name="Block Logs Folder" stopProcessing="true">
                <match url="^logs/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
            </rule>
        </rules>
    </rewrite>
    .......
    </system.webServer>

Related Questions in ASP.NET-MVC

Related Questions in IIS-7

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions