Restrict browsing an XML file using web.config

Question

I have an application where I have an XML file which holds the connection string. When hit the URL with the exact file name it opens the file in the browser that is natural.

Now I need to restrict this file browsing and I can not change that code to do any redirect or anything else.

What I have tried is using denyurlsequences in the security tag in the web.config but it restricts the application too to access the file and that makes the application stop working.

I am using .NET Framework 2.0

Answer 1

The ".xml" file extension is not supported by ASP.NET pipeline that is why you cannot add it to web.config and restrict it. What you can do is to copy the xml file in the "App_Data" folder of your application.

The purpose of this folder is to hide it files from browsers/users and also is build for this type of data.

To create "App_Data" folder if it already does not exist :

Right click on your project -> Add ASP.NET Folder -> App_Data

Or just add a folder and call it App_Data

Answer 2

I know its old question but this answer may be helpful for others. I did below configurations on IIS 8.5 ( make sure Request Filtering is installed on IIS.)

1. Open IIS and click on your application virtual directory.
2. In features View, Click on Request Filtering and then go to Hidden Segments tab - this tab will contain list of hidden files or folders. (like web.config, APP_data folder etc...)
3. Add file or folder you want to hide from the browsing by click on add hidden segment and mention file/folder name you want to hide and test it.

In our application we have a master xml file stored in an application folder, to deny browsing this xml file I had added the folder name in hidden segments and it worked.