How to hide users files and folders on your website?

Sometimes you want to hide some files or folders on your website, so that no one can access them directly.

If you have an upload feature in your website, and your website users upload their files or images to your website, It will not be nice to let other users see others files by guessing the URL.

For example: Your website uploaded files directory is “UsersUploads” and you put there all the users files, so one file url will be www.example.com/UsersUploads/File1.pdf, another will be www.example.com/UsersUploads/File2.doc .

Now a user can guess the URL and access others files specially if your files names are easy to guess.

There are two solutions for doing that:

1- You can put your “UsersUploads” folder outside the website directory, so if your website exist on “c:\website\example.com” you can put the “UsersUploads” there “c:\UsersUploads”, Like that IIS has no control over this folder and its files, And your website code will still have access to this directory as a normal physical path.

2- Stop IIS from serving this folder:

IIS by default doesn’t server some website folders and files such App_Data, App_Code, bin, App_GlobalResourses, App_LocalResources, Web.config,….

You can configure IIS to stop serving some more files or folder inside your website folders by Adding a new Hidden Segment.

– Select your website in IIS, and open Request Filtering.

– Go to Hidden Segments tab.

– In the right Actions panel click on “Add Hidden Segment…”.

– Write there the file or folder name you want to hide.

– This will edit your website web.config file and add the following:

iisConfig

Now users can’t access this folder directly by guessing the URL.

Note that you can do this manually without the IIS by editing your website web.config file and put there the same values.

 

I believe that there are more ways to accomplish the same thing, but these are 2 easy ways.