In IIS (6 or 7), when Directory Browsing is disabled, IIS returns a "403 - Forbidden" error when it detects an attempt to browse a directory (eg "http://mydomain.com/folder").
Is there any way to configure IIS to return a "404 - Not Found" error instead of a "403" for directory browse attempts?
This is an asp.net webforms site.
A security scan of our site noted that returning "403" could assist a malicious person mapping our site; had not thought of that before, but I have to admit it makes sense.
The solution that worked for us (IIS7):
In IIS (7 and above) go to Request Filtering and there is a tab called Hidden Segments. You can just add the name of directory you want to be hidden and it will now return a 404.
If you are using ASP.Net MVC add the following handler into web.config
<system.webServer>
<handlers>
<add name="StopDirectoryBrowsing" path="*." resourceType="Directory" verb="*"
preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" />
</handlers>
</system.webServer>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With