27

How to restrict folder access in asp.net like I don't want any other to see my Uploads folder in browser by link http://www.example.com/Uploads

Majid
  • 13,853
  • 15
  • 77
  • 113
Asad
  • 517
  • 4
  • 10
  • 13

4 Answers4

64

For the future generation the answer which works for me is to use hidden segments.

If you want to secure e.g. Uploads folder go to your root Web.config and add into <system.webServer> following element:

<security>
  <requestFiltering>
    <hiddenSegments>
      <add segment="Uploads"/>
    </hiddenSegments>
  </requestFiltering>
</security>

This will prevent all users from direct access to Uploads folder and its content.

Lukáš Kotrba
  • 826
  • 7
  • 5
  • 1
    Very usefull, this works perfect if your site don't has roles or authentication – amelian Sep 09 '14 at 09:16
  • 1
    Very interesting. The Microsoft documentation is at https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/hiddensegments/ . It says this mechanism is used to protect the bin and app_code paths. – Anthony Jan 03 '19 at 18:03
  • Please also note that this will protect sub directories "inadvertently". So if you have `` then the path `/assets/javascript/plugins/myfile.js` will be restricted. – Barry Mar 23 '20 at 18:25
23

You can do like @klausbyskov mentions, to add <authorization />'s to the root web.config, like:

<location path="Admin">
    <system.web>
        <authorization>
            <allow roles="Administrator"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

or you can add a web.config to the folder where you want to allow/deny access with the following content:

<?xml version="1.0"?>
<configuration>
    <system.web>
        <authorization>
            <allow roles="Administrator"/>
            <deny users="*" />              
        </authorization>
    </system.web>
</configuration>

Of course replace the <allow /> and <deny /> with you own rules

veggerby
  • 8,940
  • 2
  • 34
  • 43
  • 9
    None of them work for me (using MVC4). I see most of posts suggesting this thing, but I have added it at root, inside each folder I need secure, tested local and on server... it never works... am I missing something? Uisng MVC 4. – Nestor May 21 '13 at 08:18
  • +1 for having the full text i could copy and paste into a new web.config i created on a hot server. – Chris Marisic Sep 17 '13 at 12:42
  • Will these rules be applied to all subfolders as well? Or do I have to add a web.config to each folder? And does it apply to all file types? – Michiel Aug 11 '14 at 12:36
  • @Nestor I was also not able to get it to work until I found that you need to add under – Superhdninja May 28 '20 at 17:03
4

You should add a web.config file to said folder and put an <authorization> tag in the file, as described here.

Klaus Byskov Pedersen
  • 117,245
  • 29
  • 183
  • 222
-1

You can manage folder browsing in IIS settings.,

  • Open IIS Manager and navigate to the folder you want to manage.

  • In Features View, double-click Directory Browsing.

  • In the Actions pane, click Enable/Disable.

This is for IIS7.

you can also use commandline for this.

 appcmd set config /section:directoryBrowse /enabled:true|false

Hope this helps...
Happy Programming,

Vimal Raj
  • 1,028
  • 13
  • 23