如何在Web.Config中禁用目录浏览

Question

I have a WebSite and I woud like Deny Directory Browser from a web.config file .

Here the code I'm using placed in the ROOT. Does not work. I'm testing it Locally so with URL LIKE http://localhost:3214/ I can still browser the directory fro CMS.

• What I'm doing wrong?
• Should it work even on Local Machine?

Thanks for your support!

<configuration>
  <location path="Cms">
    <system.webServer>
      <directoryBrowse enabled="false" />
    </system.webServer>
  </location>
</configuration>

Some resource:

http://blogs.iis.net/bills/archive/2008/03/24/how-to-enable-directory-browsing-with-iis7-web-config.aspx

http://www.expta.com/2008/03/configuring-virtual-directories-with.html

Answer 1

First: not everything works in a <location> block.

I cannot find a positive statement that <system.webServer> isn't supported in a <location> , but I cannot find any cases where it is suggested that it is allowed. Evidence for this is in the (global) machine.config where the system.webserver section is defined to use the IgnoreSection handler: ie. it isn't processed by the standard System.Configuration implementation, and it is that standard implementation of config handling that provides support for <location> .

Try adding a web.config into the Cms folder with the directoryBrowse element to confirm that browsing is blocked.

Answer 2

Gibbok, nothing is wrong here, Don't panic :)

Assuming that you are browsing your website from the built-in server inside Visual Studio, This is typically a normal case.

I'm pretty sure that if you moved to IIS with the above code, Directory browsing will behave just like what you want it to be.

Give it a try and host this website in IIS, and let us know what happened, Thanks.

Answer 3

the <directoryBrowse> directive controls the listing of the directory via the http protocol only: http://msdn.microsoft.com/en-us/library/ms691327%28v=vs.90%29.aspx

It will not have any effect on code, trying to access the directory from within any other (or even your own) application.

@Edit: after the edit and if I get you right - I think, what you mean by Deny Directory Browser is the intended functionality: show the contents of the dir within a specified path using the browser. And yes, it probably will not work in the local development server. Try it on IIs!

Answer 4

I was trying the same code. What you have is in fact correct. Here is the reference .

Of course it wasn't working for me and I couldn't figure out why, until I read Richard's post and remembered that someone put a web.config file in that directory. That file overrides the behavior in the main web.config file. In the sub directory web.config the directoryBrowse option was explicitly turned on (as well as a LOT of other handlers, yikes!). Delete that file and what you have above works for me. It actually passes the request along to the next handler, which is exactly what I wanted.

I'm using IIS 7 on my local machine.