I'd like to prevent users from accessing files of a certain type through their browser. For example, the IIS server blocks access to .config and .vb files by default, giving the error message "The type of page you have requested is not served because it has been explicitly forbidden", and I'd like to add other file types to this behavior.
Is there something I can add to the application's web.config file? I'd rather not handle it by blocking directory access using the <authorization> element.
In IIS 7+, request filtering can be done at the app level. Add the below code in web.config:
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".vbs" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
For IIS 6, the above won't work but you can mimic the default blocking behavior that exists for pages like .cs files, although you may have to make changes on the server side. First, add the below into your app's web.config:
<system.web>
<httpHandlers>
<add path="*.vbs" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
</httpHandlers>
</system.web>
If asp.net is set up to handle that file type, like .cs, then you're done. However, if the file type you mean to block is handled by IIS, not asp.net (like .vbs), this won't be enough. You'll have to make changes in IIS Manager to map the file extension as shown here.