Jun 22, 2010 02:47 AM|brendan.hill|LINK
I'm trying to secure my web application so XML files it contains can't be downloaded. I thought it would be as simple as adding these to the "httpHandlers" section of web.config:
<remove verb="*" path="*.xml"/>
<add verb="*" path="*.xml" type="System.Web.HttpForbiddenHandler"/>
This failed - the XML files could still be downloaded easily. I tried different browsers in case they were caching, but everything could download the XML files without any trouble. I thought this might be due to some special handling of XML, so I tried mocking
up an alternative based on ".txt123" files. I added this file with some dummy content:
Confirmed it could be downloaded without any trouble. It downloads as a file, rather than displays as a webpage (presumably as there's no meaningful content-type associated with it). Then I added this to my httpHandlers section:
<add verb="*" path="*.txt123" type="System.Web.HttpForbiddenHandler"/>
Lo and behold - it made no difference. I could still download blahblah.txt123 without any trouble, and from multiple browsers (so no caching involved).
I've tried full refreshes, fully recompiling code, restarting IIS throughout all of these steps and it makes no difference.
I know that I'm using the correct web.config, since other changes I make (eg. adding system.web.extentions/scripting/webServices/jsonSerialization node) take effect.
What could I be doing wrong? I can't help feeling the httpHandlers section just fails miserable, or I'm missing something terribly obvious.