How to prevent certain types of files from being served by the server (IIS)?
1) In web.config, under the httpHandlers section (which is under system.web section, add the below:
<add verb="*" path="*.blah" type="System.Web.HttpForbiddenHandler"/>
2) Using the IIS managment console, add a new application extension mapping for *.blah
a. Go to IIS control panel
b. Expand the webiste, go to the desired web app using the IIS mngment console, e.g. it may be located at c:\inetpub\wwwroot\MyWebApp1
c. Go to the properties of that webiste
d. Go to the "Directory" tab
e. Click the "configuration" button, this should open up a new dialog window
f. Copy the executable path (dll) for the .aspx mapping, usually located at:
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
g. Click on "add" button to add new type of mapping for our file type, e.g. *.blah
h. Paste the dll location for the aspnet engine(handles aspx pages)
i. type ".blah" (without the quotes) in the extension text area (this can be replace with any file extension eg: js/html/PDF)
j. while still in the "add/edit application extension mapping" window click the "limit to" radio button and type "GET,HEAD,POST,DEBUG"
k. ensure that the "script engine" radio button is selected but not the "verify the file exists" radio button
No comments:
Post a Comment