Deny Direct Access to JavaScript Files in IIS Web Server

Question

I have a web application which is in php and java script. if someone tries to enter the path of the java script file in the browser, the complete java script is being displayed in the browser. For example: http://myserver.com/MyApp/app/view/baseView.js , this returns the source code of that particular java script file.

Can I restrict this ? I am using Windows IIS 7.5 Web Server. I have tried doing this in the main web.config file:

<security>
        <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Allow" users="" roles="Administrators" />

        </authorization>
    </security>

But this code blocks the complete application, even when I try to access the default.php file through the url, the following error is being returned by the Web Server : "401 - Unauthorized: Access is denied due to invalid credentials".

Please help !

May I ask why you want to do this? Users will have access to the file either way through the php file accessing it. — dustytrash, Sep 18 '18 at 18:32
Include the JS file to a PHP page from outside of the public root folder? — Teemu, Sep 18 '18 at 18:34

score 1 · Accepted Answer · answered Sep 18 '18 at 18:38

1

You cannot block direct access to the file. If you restrict access to the file, as you mentioned the php file will 'break' for users who don't have access to that js file.

You could however redirect users who visit the URL to the file directly: Javascript example:

<script>
if(window.location.href.endsWith('baseView.js'))
{
    window.location = 'www.google.com'
}
</script>

You may also be able to use the .htaccess file to do this, which would be much better. (although I cannot test this myself right now, I'm not sure if it would work and not be invoked through the php file)

Note: This will in no way stop users from reading the Javascript file, so I am not sure why you want to do this.

answered Sep 18 '18 at 18:38

dustytrash

1,568
1
10
17

Thanks for your answer. As you said, this can be achieved by using .htaccess file, but my web server is IIS and I think web.config file is equivalent to .htaccess file. Is there anything that can be done in web.config to prevent direct access url of files across the project directory. – alexJoe Sep 18 '18 at 19:09
@alexJoe Are you using a program 'IIS Manager'? – dustytrash Sep 18 '18 at 19:18
yes, I do have IIS Manager installed on the server. – alexJoe Sep 18 '18 at 20:21
@alexJoe I've never used IIS, but you can do it. See the answer here: https://stackoverflow.com/questions/888325/how-to-redirect-a-url-path-in-iis#answer-888356 – dustytrash Sep 18 '18 at 20:27

Deny Direct Access to JavaScript Files in IIS Web Server

1 Answers1

Linked