ASP.Net MVC 3 what folders are web visible

Question

I have some sensitive files that I want the web server to be able to use, but I do not want them to be accessible from a web browser.

I am having a really hard time finding any documentation that describes which folders in ASP.Net are hosted publicity and which are private. For instance I know the Content and Scripts directory are public, but I see no configuration or options that show granting access to those paths.

What folders are web accessible? And where would it be safe to put these sensitive files?

Thanks for the help!

Answer 1

I'm not sure about which special folders are locked down (other than App_Data & bin), but you can block any folder from being web accessible by adding an <authorization/> section to a <location/> section to your web.config:

<!-- Block access to Admin directory -->
<location path="Admin">
    <system.web>
        <authorization>
            <deny users="*" />
        </authorization>
    </system.web>
</location>

Alternatively, you can add a web.config directly to the directory you want to block, containing the following:

<?xml version="1.0"?>
<!-- This web.config blocks access to any directory it is put in, 
     and its subdirectories -->
<configuration>
    <system.web>
        <authorization>
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

These approaches are functionally identical, it just depends on your preference. Personally, I think having the web.config file in the directory you're blocking access to is a little less confusing.

Answer 2

have some sensitive files that I want the web server to be able to use, but I do not want them to be accessible from a web browser.

~/App_Data is for you. Here's a list of the different ASP.NET special folders.