Reputation: 1427
How to stop directory browsing of a web site but also allow default document
When you attempt to visit a directory on a web server you get a 403 message, whereas its generally more desirable to get a 404 message so you're not giving a hacker a clue that a folder exists.
I thought I had found the ultimate solution to this problem - by adding this to web.config system.webServer:
<handlers>
<add name="StopDirectoryBrowsing" path="*." resourceType="Directory" verb="*" type="System.Web.HttpNotFoundHandler" preCondition="integratedMode" />
</handlers>
This correctly raises a 404 when you attempt to visit a directory.
However sadly it kills default document mechanism at the top level.
Can anyone suggest a variant of the above that allows default document to work but still protects sub directories.
Upvotes: 0
Views: 263
Answers (1)
Reputation: 5068
this doesn't actually change the status codes returned but you can redirect as you like using <customErrors>:
<customErrors mode="RemoteOnly" defaultRedirect="~/redirect/error-status.aspx">
<error statusCode="403" redirect="~/redirect/access-denied.aspx" />
<error statusCode="404" redirect="~/redirect/file-not-found.aspx" />
</customErrors>
you could redirect every status code to one single page if you wanted to.
Upvotes: 1
Related Questions
- how to deny user to access sub folders and file?
- How to hide web.config from directory browsing?
- Restrict access to file/folder in web.config
- Exclude web config handler on specific directory
- Turn off folder browsing with IIS
- IIS Directory browsing disable file access directly
- How to prevent sites to access to other site folder?
- Is it possible to allow anonymous user to browse only few files from a folder
- How to disable Directory Browse in Web.Config
- Deny access to a folder in ASP.NET