Protect files from direct access by url on iis server and MVC APP with identity

Question

i have MVC app with identity authentication this site business is playing video which edited by ffmpeg .

  <video id="videojs-hls-quality-selector-player" class="video-js vjs-default-skin" width="640" height="360" controls>
    <source src="video\index.m3u8" type="application/x-mpegURL">
</video>

i want to prevent direct access from browser to this link , unless user has session https://localhost/vide/index.m3u8

i tired this code for config file

<system.web>
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>

but i still be able to access the file and not able to aceess folder

ex:-

https://localhost/video/index.m3u8 

accessible

    https://localhost/video

Not accessible !

i tried this link , but still not get it how to deny user to access sub folders and file?

Answer 1

You can try to use the Request Filtering module in IIS, you can use the hidden segments:

<configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <hiddenSegments>
     <add segment="index.m3u8"/>
    </hiddenSegments>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>

When request filtering blocks an HTTP request because of a hidden URL segment, IIS will return an HTTP 404 error to the client and log the following HTTP status with a unique substatus that identifies the reason that the request was denied.

When you access https://localhost/video/index.m3u8, you will get HTTP Error 404.8 - Not Found.

For more information, please refer to the following documents：

https://learn.microsoft.com/en-us/iis/manage/configuring-security/use-request-filtering

https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/hiddensegments/