I'd like to prevent users from accessing files of a certain type through their browser. For example, the IIS server blocks access to .config and .vb files by default, giving the error message "The type of page you have requested is not served because it has been explicitly forbidden", and I'd like to add other file types to this behavior.
Is there something I can add to the application's web.config file? I'd rather not handle it by blocking directory access using the <authorization>
element.
web. config file is an XML-based configuration file used in ASP. NET-based applications to manage various settings that are concerned with the configuration of our website. In this way, we can separate our application logic from configuration logic.
Web. Config is used for asp.net web projects / web services. App. Config is used for Windows Forms, Windows Services, Console Apps and WPF applications.
In IIS 7+, request filtering can be done at the app level. Add the below code in web.config:
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".vbs" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
For IIS 6, the above won't work but you can mimic the default blocking behavior that exists for pages like .cs files, although you may have to make changes on the server side. First, add the below into your app's web.config:
<system.web>
<httpHandlers>
<add path="*.vbs" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
</httpHandlers>
</system.web>
If asp.net is set up to handle that file type, like .cs, then you're done. However, if the file type you mean to block is handled by IIS, not asp.net (like .vbs), this won't be enough. You'll have to make changes in IIS Manager to map the file extension as shown here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With