How to disable direct access to web resources for ASP.NET MVC projectcs

Question

I have a web site that runs on ASP.NET MVC. I have of course disabled the directory browsing. I have also added conditions to my RouteConfig.cs file to accept only pages that I want to.

For example:

• example.com/
• example.com/account/login
• example.com/account/register

I also tested that my configs are not accessible directly:

• example.com/web.config ---> error 404

However, I still can directly access files under content folder and they are not even minified or anything:

• example.com/Content/css/style.css -----> 200:Ok
• example.com/Content/scripts/myscript.js ----> 200:ok

Now I see in some articles they recommend adding the following to the web.config file:

<authorization>
    <deny users="?" />
</authorization>

But then it blocks the whole site.

I am sure there should be an easy way to handle this. I use Visual Studio to publish it to a machine running IIS.

Does anyone have any ideas how this can be fixed? Thank you.

Answer 1

You can also try to use url rewrite to block access:

Answer 2

As per @samwu's response above, I constructed the below rules to block folders such as Content, Scripts and logs from direct access but still let the site be functional:

    <system.webServer>
        .......
        <rewrite>
        <rules>
            <!--Rules to block direct access to folders and their files. (e.g: https://mysite/Content/CSS/Common.css)-->
            <rule name="Block Content Folder" stopProcessing="true">
                <match url="^Content/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
            </rule>

            <rule name="Block Scripts Folder" stopProcessing="true">
                <match url="^Scripts/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
            </rule>

            <rule name="Block App_Data Folder" stopProcessing="true">
                <match url="^App_Data/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
            </rule>

            <rule name="Block Logs Folder" stopProcessing="true">
                <match url="^logs/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
            </rule>
        </rules>
    </rewrite>
    .......
    </system.webServer>