How to stop directory browsing of a web site but also allow default document
Question
When you attempt to visit a directory on a web server you get a 403 message, whereas its generally more desirable to get a 404 message so you're not giving a hacker a clue that a folder exists.
I thought I had found the ultimate solution to this problem - by adding this to web.config system.webServer:
<handlers>
<add name="StopDirectoryBrowsing" path="*." resourceType="Directory" verb="*" type="System.Web.HttpNotFoundHandler" preCondition="integratedMode" />
</handlers>
This correctly raises a 404 when you attempt to visit a directory.
However sadly it kills default document mechanism at the top level.
Can anyone suggest a variant of the above that allows default document to work but still protects sub directories.
1 answers
solution1
1 2017-12-04 20:51:08
this doesn't actually change the status codes returned but you can redirect as you like using <customErrors> :
<customErrors mode="RemoteOnly" defaultRedirect="~/redirect/error-status.aspx">
<error statusCode="403" redirect="~/redirect/access-denied.aspx" />
<error statusCode="404" redirect="~/redirect/file-not-found.aspx" />
</customErrors>
you could redirect every status code to one single page if you wanted to.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.