where to put files so they can't be served by IIS

[Andy Fish]

Hi,

in my ASP.NET web app, I have some config and data files. For convenience, I
would like to keep them under the application root directory on the web
server, but I don't want IIS to be able to serve them up to a user directly.

In the J2EE world, I would just stick them underneath the WEB-INF directory,
because that's a special reserved area that can never be accessed by the
client. What's the best way of doing something like this with asp.net?

I don't really want to rely on diretory permissions or specific IIS settings
because that's the kind of thing that gets lost when you copy it from one
machine to another. The files underneath this area might have any old file
extensions.

TIA

Andy

 

[Scott M.]

..config files are not servable by IIS no matter where they are. As for your
other files, the best way to do it is really to set the directory
permissions.

 

[Scott Allen]

One option is to use a common extension for your private files, and
map them to the HttpForbiddenHandler to prevent them from being
served.

i.e.

<add verb="*" path="*.private" type="System.Web.HttpForbiddenHandler"
/>

You'll also have to add them to the IIS script mappings.
ASP.NET already protects file types like .config.

There is some detailed documentation in the following KB article:

HOW TO: Use ASP.NET to Protect File Types
http://support.microsoft.com/default.aspx?scid=kb;EN-US;815152

Hope this helps!

 

[Andy Fish]

I guess I could put a web.config file in the top level of my hidden
directory and put something in there to make sure nobody can access it via
IIS directly

maybe <authorization><deny users="*" />