Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to edit web.config to stop serving a specific file type of a .NET web app

I'd like to prevent users from accessing files of a certain type through their browser. For example, the IIS server blocks access to .config and .vb files by default, giving the error message "The type of page you have requested is not served because it has been explicitly forbidden", and I'd like to add other file types to this behavior.

Is there something I can add to the application's web.config file? I'd rather not handle it by blocking directory access using the <authorization> element.

like image 518
Servant of Jesus Avatar asked Sep 13 '12 18:09

Servant of Jesus


People also ask

What file type is Web config?

web. config file is an XML-based configuration file used in ASP. NET-based applications to manage various settings that are concerned with the configuration of our website. In this way, we can separate our application logic from configuration logic.

What is difference between Web config and app config?

Web. Config is used for asp.net web projects / web services. App. Config is used for Windows Forms, Windows Services, Console Apps and WPF applications.


1 Answers

In IIS 7+, request filtering can be done at the app level. Add the below code in web.config:

<system.webServer>
    <security>
        <requestFiltering>
            <fileExtensions>
                <add fileExtension=".vbs" allowed="false" />
            </fileExtensions>
        </requestFiltering>
    </security>
</system.webServer>

For IIS 6, the above won't work but you can mimic the default blocking behavior that exists for pages like .cs files, although you may have to make changes on the server side. First, add the below into your app's web.config:

<system.web>
    <httpHandlers>
        <add path="*.vbs" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
    </httpHandlers>
</system.web>

If asp.net is set up to handle that file type, like .cs, then you're done. However, if the file type you mean to block is handled by IIS, not asp.net (like .vbs), this won't be enough. You'll have to make changes in IIS Manager to map the file extension as shown here.

like image 167
Servant of Jesus Avatar answered Sep 28 '22 18:09

Servant of Jesus