prevent web.config from users RRS feed

  • Question

  • User-208135067 posted

    recently migrated asp.net 1.1 to asp.net 4.0 website.  during dev testing (on iis 5.1), can see the contents of web.config by typing the url: localhost/web.config....but under authorization tag in web.config, i added deny verbs="web.config" users="*" but still no use, can see the web.config by using the same url: localhost/web.config... i tried deny verbs="*.config" still the same result.

    but in another dev machine that has iis7, the same site shows "request filtering is configured to deny a path in url that contains hiddensegment section" message if type the localhost/web.config url.

    website is public website, users can view the pages without login, so we provided windows authentication instead of forms authentication.

    how to prevent users from viewing the web.config? also do you think of any security configuration that needs to added in web.config for a public website that uses windows authentication.

    Monday, October 10, 2011 11:10 AM


  • User818889995 posted


    Just wanted to check if you tried setting fileExtensions. This is available under "<requestFiltering>".



    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 10, 2011 11:30 AM