How to restrict download of specified file types

Question

I want to restrict my web app so that .txt files can not be downloaded/shown. Is this something I can set up in my web.config file?

I tried this in my config file:

<system.web>
    <httpHandlers>
        <add verb="*" path="*.txt" type="System.Web.HttpForbiddenHandler" />
    </httpHandlers>
</system.web>

...but it had no effect. I am using IIS7 and application is .NET3.5, could this have something to do with it? I know this would actually work for .NEt 1.0 1.1 and 2.0.

I noticed in the documentation for this (add httpHandlers), the Requirements section:

Microsoft Internet Information Services (IIS) version 5.0, 5.1, or 6.0
The .NET Framework version 1.0, 1.1, or 2.0
Microsoft Visual Studio 2003 or Visual Studio 2005

...which indicates that this is not supported in .NET 3 and IIS7...

Where is this specified in IIS7?

Answer 1

Take a look at this MS Support article on how to achieve this: HOW TO: Use ASP.NET to Protect File Types.

It involves setting up IIS to forward those requests to ASP.NET and then setting up your web.config to block the desired file types, such as: (nb this works for your dev machine and before IIS7 - be sure to see below)

<system.web>
    <httpHandlers>
        <add verb="*" path="*.ini" type="System.Web.HttpForbiddenHandler" />
    </httpHandlers>
</system.web>

According to the httpHandlers Element page, the following extensions are forbidden by default as of .NET 2.0 (.ini is not one of them):

*.asax, *.ascx, *.master, *.skin, *.browser, *.sitemap, *.config, *.cs, *.csproj, *.vb, *.vbproj, *.webinfo, *.licx, *.resx, *.resources, *.mdb, *.vjsproj, *.java, *.jsl, *.ldb, *.dsdgm, *.ssdgm, *.lsad, *.ssmap, *.cd, *.dsprototype, *.lsaprototype, *.sdm, *.sdmDocument, *.mdf, *.ldf

EDIT: this applies to IIS versions prior to IIS 7.0. IIS 7.0 adds an additional operating mode, called Integrated Mode (default for ASP.NET), which requires handlers to be placed in <system.webServer>/<handlers> instead of <system.web>/<httpHandlers>. I added some more info and links to @awe's answer on this page, check it out for more details.

IMPORTANT! for IIS 7.0 or later

As specified in the edit you need to place the <add> element in a different place and the rule needs a name too - if you dont specify a name you will get a 500 Internal Error when restarting

  <system.webServer>
        <handlers>
            <add name="IgnoreIni" verb="*" path="*.ini" type="System.Web.HttpForbiddenHandler" />
        </handlers>
    </system.webServer>

Answer 2

OK. I found out the problem. In .NET 3, this specified in a different section of the web.config file. Instead of <system.web><httpHandlers>, it is in <system.webServer><handlers> like this:

<system.webServer>
  <handlers>
    <add name="NoTxtAllowed" verb="*" path="*.txt" 
       type="System.Web.HttpForbiddenHandler" />
  </handlers>
</system.webServer>

Although this is the answer that did the trick for me, I have marked the answer from Ahmad Mageed as the answer, as he provided it before I added the version information for .NET 3 in my question. He also pointed me in the right direction to find the solution. Note that his answer is correct for all versions of .NET prior to 3.

EDIT: IIS 7.0 supports 2 modes, Integrated and Classic. Integrated is the default mode for ASP.NET apps on IIS 7.0 which require handlers to be placed in <system.webServer>/<handlers> instead of <system.web>/<httpHandlers> (this is supported by the Classic mode and prior IIS versions).

Helpful links regarding this issue:

• How to: Register HTTP Handlers
• Moving an ASP.NET Application from IIS 6.0 to IIS 7.0
• ASP.NET Integration With IIS 7.0

Answer 3

This is something you set in IIS, but it should be there by default already.