0

I have a special web page for members.

I am publishing with IIS 10 on Windows server 2016.

Through the website, members upload their private documents to the site.

For example:

http://mywebpage.com/upload/xuser/a.jpg
http://mywebpage.com/upload/xuser/b.pdf
http://mywebpage.com/upload/yuser/c.pdf
http://mywebpage.com/upload/yuser/abc/d.pdf

I use these files in html tags with classic asp. For example;

<a href='http://mywebpage.com/upload/yuser/c.pdf'>yuser transcript</a>

<h1>Profile</h1><img src='http://mywebpage.com/upload/xuser/a.jpg'/>

But I want these files to be accessible only by *.asp files under "http://mywebpage.com".

The possibility that users can access it by typing the link directly into the address bar annoys me very much.

For this, I used the following ways. But I still don't feel safe.

  1. Disallow all files in /upload/ directory with robots.txt.

  2. Prevent browsing to /upload/ with web.config.

  3. Using a complex directory name and complex filenames with the user id and not the yuser. /upload/ASDASD12djd829D2/DUJA811220.jpg

But these are still not the solution I want. Is it possible to say that no one can read these static files except just http://mywebpage.com/*.asp pages? What path should I follow?

omerix
  • 149
  • 1
  • 12
  • Have you considered using url redirects, when users access your website, you can redirect them directly to .asp files under "http://mywebpage.com". about url redirect you can refer to this link: [link](https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module). – samwu Jul 15 '21 at 07:13
  • 3
    Another approach would be only [access the files through an ASP page](https://stackoverflow.com/a/35014520/692942), that way you have complete control of what can be displayed when, rather then exposing their upload location. – user692942 Jul 15 '21 at 07:29
  • @user692942 As getfile.asp will work for me, if I call the files like this after login validation, I will get what I want. I'll see how much it weighs the server down due to hundreds of images and files. I hope it won't be too much. – omerix Jul 17 '21 at 21:46
  • Does using redirects not meet your requirements? – samwu Jul 20 '21 at 09:53

0 Answers0