I've got a page in an ASP.Net app (its Mvc actually but not important) and I would like to only allow connections to this page from the local machine. I would love to do something like this in Web.config:
<location path="resources">
<system.web>
<authorization>
<allow ips="local"/>
</authorization>
</system.web>
</location>
I know this is possible with a simple check in the page code behind (or controller) and its even possible just with IIS configuration but I would love a Web.config config as this would be the most elegant solution in my opinion. Anyone know if this is possible?
The path attribute defines the site or virtual directory that the configuration settings cover. To specify that the settings in the <location> element apply to the default Web site, set the path attribute to Default Web Site .
There is no restriction to use the web. config file in the asp.net web application. You can have 1 Web. config file per folder .
config based connectionstring as seems is unsafe, because one can read it. But think about it, if a person can read your web. config, means he can edit any file on your server anyways as he probably already hack or gain access to file.
You can use protected configuration to encrypt sensitive information, including user names and passwords, database connection strings, and encryption keys, in a Web application configuration file such as the Web. config file.
You can ask IIS to restrict access to a resource by IP address from within the Web.config:
<location path="resources">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1"/>
</ipSecurity>
</security>
</system.webServer>
</location>
More info
EDIT: As Mike pointed it out in the comment below, this requires the IP and Domain Restrictions module to be installed. Thanks Mike!
This isn't what you asked for, but you could specify users of the local machine. I can't imagine this is practical unless it's a small number of users you're wanting to authorize.
<location path="resources">
<system.web>
<authorization>
<allow users="LOCALMACHINENAME\UsernameOfTrustedUser"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Remote clients will not be able to resolve the host name.
You could secure it more using a dedicated ip address tied to a virtual network adapter which would not actually respond to external requests.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With