Denying direct access to a folder (only allow through app)

Question

I need to prevent someone from directly accessing a pdf, instead only allowing them to be pulled through the app itself. How can this be done?

Answer 1

Add this to your top-level Web.config to block a folder called Reports (your folder name goes there). This will allow your application to access Reports/file.pdf but an outside request to yoursite.com/Reports/file.pdf will be blocked.

<configuration>
    <system.webServer>   
         <security>
          <requestFiltering>
            <hiddenSegments>
              <add segment="Reports" />
            </hiddenSegments>
          </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Answer 2

There are two solutions for doing that:

1- You can put your “UsersUploads” folder outside the website directory, so if your website exist on “c:\website\example.com” you can put the “UsersUploads” there “c:\UsersUploads”, Like that IIS has no control over this folder and its files, And your website code will still have access to this directory as a normal physical path.

2- Stop IIS from serving this folder:

IIS by default doesn’t server some website folders and files such App_Data, App_Code, bin, App_GlobalResourses, App_LocalResources, Web.config,….