Deny all folder access in .net mvc besides content/scripts

Question

Conditions: .Net MVC 5 project template.

Idea: Block all folders files access besides content/scripts, using only project root web.config

Solutions I found, but not satisfied with:

1. Hide every folder adding such structure into web.config

   <location path="Upload">
       <system.web>
           <authorization>
               <deny users="*" />
           </authorization>
       </system.web>
   </location>`
   

Does not suit due to, there might/would be different folder names and you should always change it for every project based on this template, new folder added

2. Using this block:

   <security>
       <requestFiltering>
           <hiddenSegments applyToWebDAV="true">
               <add segment="Upload"/>
           </hiddenSegments>
       </requestFiltering>
   </security>`
   

Does not suit due to, there might/would be different folder names and you should always change it for every project based on this template, new folder added. Also it is not block by folder, it blocks by url, so if you have routing with e.g. /api/upload/movie/ - to any controller - it will be blocked

So, is there any solutions, to block all folders files, besides some I'm 100% sure are save?

Answer 1

Could negated IIS URL rewrite rules work? You could create a rule that checks if the path is "content" or "scripts", then set the negate attribute to true and set the action to "AbortRequest". That would terminate any request to the server that matches any path other than the paths you specify.

Check out the "Creating an access block rule" from here and this answer.

You might try something like this:

<rule name="Deny all folder access" stopProcessing="true">
    <match url="^(content|scripts|whatever)\/.*$" negate="true" />
    <action type="AbortRequest" />
</rule>

Keep in mind that this regex will block anything that isn't in content or scripts. Like the root directory, any files in the root directory (like /favicon.ico), all your pages under root (like /contact-us), and so on. It's technically an answer to your question but you'll need to fiddle with that regex to make it more useful.