I added the following to my web.config so users can not download my plugins:
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Plugins" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
Now I have the problem that not only domain.com/Plugins/MyPlugin.dll is blocked, but also domain.com/Scripts/ckeditor/plugins/ckplugin.js.
Is there a way to configure a hiddenSegment to only affect the root directory?
I solved this via a web.config inside my plugins folder, where I block *.dll files from being downloaded:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="Plugins*.dll_*" path="*.dll" verb="*" type="System.Web.HttpForbiddenHandler" />
<add name="Plugins*.pdb_*" path="*.pdb" verb="*" type="System.Web.HttpForbiddenHandler" />
</handlers>
</system.webServer>
</configuration>