Search code examples
asp.net-mvciis-7

How to disable direct access to web resources for ASP.NET MVC projectcs

I have a web site that runs on ASP.NET MVC. I have of course disabled the directory browsing. I have also added conditions to my RouteConfig.cs file to accept only pages that I want to.

For example:

  • example.com/
  • example.com/account/login
  • example.com/account/register

I also tested that my configs are not accessible directly:

  • example.com/web.config ---> error 404

However, I still can directly access files under content folder and they are not even minified or anything:

  • example.com/Content/css/style.css -----> 200:Ok
  • example.com/Content/scripts/myscript.js ----> 200:ok

Now I see in some articles they recommend adding the following to the web.config file:

<authorization>
    <deny users="?" />
</authorization>

But then it blocks the whole site.

I am sure there should be an easy way to handle this. I use Visual Studio to publish it to a machine running IIS.

Does anyone have any ideas how this can be fixed? Thank you.

Solution

  • You can also try to use url rewrite to block access:

    enter image description here