I have a project where I am currently serving static files from a .NET Core Web API wwwroot folder. It's using the app.UseStaticFiles() command in startup.cs and it works perfectly fine for serving our SPA front end. However, we have a requirement where we need one controller call open to the internet, while the rest are locked down by IP address. The one thing that I can't seem to figure out is how to prevent the Web API from serving the static files in the wwwroot folder to the internet, as those should only be for internal use.
I know there's already built in middleware to lock controllers down by IP address, and there are plenty of ways to make my own, but I need to specifically prevent the front end SPA in the wwwroot folder from being seen by the internet while having only a few controller calls accessible to the internet.
Is there a way to do this?