How to hide users files and folders on your website?

Sometimes you want to hide some files or folders on your website, so that no one can access them directly.

If you have an upload feature in your website, and your website users upload their files or images to your website, It will not be nice to let other users see others files by guessing the URL.

For example: Your website uploaded files directory is “UsersUploads” and you put there all the users files, so one file url will be www.example.com/UsersUploads/File1.pdf, another will be www.example.com/UsersUploads/File2.doc .

Now a user can guess the URL and access others files specially if your files names are easy to guess.

There are two solutions for doing that:

1- You can put your “UsersUploads” folder outside the website directory, so if your website exist on “c:\website\example.com” you can put the “UsersUploads” there “c:\UsersUploads”, Like that IIS has no control over this folder and its files, And your website code will still have access to this directory as a normal physical path.

2- Stop IIS from serving this folder:

IIS by default doesn’t server some website folders and files such App_Data, App_Code, bin, App_GlobalResourses, App_LocalResources, Web.config,….

You can configure IIS to stop serving some more files or folder inside your website folders by Adding a new Hidden Segment.

– Select your website in IIS, and open Request Filtering.

– Go to Hidden Segments tab.

– In the right Actions panel click on “Add Hidden Segment…”.

– Write there the file or folder name you want to hide.

– This will edit your website web.config file and add the following:

iisConfig

Now users can’t access this folder directly by guessing the URL.

Note that you can do this manually without the IIS by editing your website web.config file and put there the same values.

 

I believe that there are more ways to accomplish the same thing, but these are 2 easy ways.

This entry was posted in Technical. Bookmark the permalink.

2 Responses to How to hide users files and folders on your website?

  1. RE: How to hide users files and folders on your website?

    Thank you for submitting this cool story – Trackback from DotNetShoutout

  2. André says:

    The most effective way is to put uploads into the ~/App_Data folder and serve them using a IHttpHandler, especially when you have no access to the IIS manager or the filesystem outside your webapp.

    André

Comments are closed.