I have an ASP.NET MVC application running on Azure App Service. I want to restrict users from accessing any file in an application folder from their browser. So if they type the url with file name it should not allow them to download that file or view it. I can't get this to work in IISExpress or Azure. I've tried to put this web.config in the folder but it didn't work:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I've tried to put this in the root web.config file but it didn't work:
<location path="~/content/HiddenImages">
<system.web>
<authorization>
<deny users ="*" />
</authorization>
</system.web>
</location>
I've tried to direct all IIS requests through MVC pipeline to pick up those web.config settings with this added to <system.webServer> but it didn't work:
<modules runAllManagedModulesForAllRequests="true">
I've tried these questions but they didn't work: Url access Url routing
Is there another way to restrict an application folder and its files from being accessed when the url typed into a browser?
