Denying direct access to a folder (only allow through app)

asp.net security file-access
Keith Myers picture Keith Myers · Jul 25, 2011 · Viewed 11.1k times · Source

I need to prevent someone from directly accessing a pdf, instead only allowing them to be pulled through the app itself. How can this be done?

Answer

user1160006 picture user1160006 · Dec 3, 2013

Add this to your top-level Web.config to block a folder called Reports (your folder name goes there). This will allow your application to access Reports/file.pdf but an outside request to yoursite.com/Reports/file.pdf will be blocked.

<configuration>
    <system.webServer>   
         <security>
          <requestFiltering>
            <hiddenSegments>
              <add segment="Reports" />
            </hiddenSegments>
          </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Related questions

What are all the user accounts for IIS/ASP.NET and how do they differ?

Under Windows Server 2008 with ASP.NET 4.0 installed there is a whole slew of related user accounts, and I can't understand which one is which, how to they differ, and which one is REALLY the one that my app runs under. …

Read More
X-Frame-Options Allow-From multiple domains

I have an ASP.NET 4.0 IIS7.5 site which I need secured using the X-Frame-Options header. I also need to enable my site pages to be iframed from my same domain as well as from my facebook app. Currently I have …

Read More
ASP.NET Identity's default Password Hasher - How does it work and is it secure?

I am wondering wether the Password Hasher that is default implemented in the UserManager that comes with MVC 5 and ASP.NET Identity Framework, is secure enough? And if so, if you could explain to me how it works? IPasswordHasher interface …

Read More