Yesterday I was asked to made a web page which provided the ability to download files, which weren’t served directly (by passing the file URL to the client) but were sent by reading the file on the server and sending the output. However, I realised that the files could still be accessed by an unauthenticated user by typing in the file’s direct URL. Most solutions to this that I found required remote access to the server (which I don’t have) or adding URL rewrite rules (the URL rewrite module wasn’t installed). So I needed a solution I could implement in a web.config, and I came across the following:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="dir_to_protect” />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Works like a charm! The file download code still works (since it’s just reading the files directly) , and any attempt to access the files via their URLs returns a 404.