Community
Select to view content in your preferred language

IIS configuration to forbid access to "private files"

989
1
Jump to solution
02-05-2014 11:16 PM
J_B__K_
by
Deactivated User
‎02-05-2014 11:16 PM
Hi!

Kind of newbie with web server, so be patient:) Using Viewer for Flex on IIS 8 I´m stuck on this issue - how to "forbid" users to view configuration files? I mean - my viewer for flex is available on www.myserver/com/app , calling index.html from www.myserver.com/app/index.html and so on. If user is "curious", he can view my config.xml on www.myserver.com/app/config.xml - how to disable it? I would like him to see just index.html and not to be able to see other files (but the app still has to work!). Is it possible? How?

Thank you!
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
BjornSvensson
by Esri Regular Contributor
Esri Regular Contributor
‎02-07-2014 03:23 PM
...how to "forbid" users to view configuration files? ... Is it possible?


No, not using IIS configuration. 

For user to be able to use an application (which is based on a config), then that config will have to be accessible by that application.  Technically, you could probably make it work by "hiding" the config file behind a proxy file or web application that would check the referrer of the application.

But even then, they could run the application in the browser and look at the web traffic using any of the built-in debugger tools of modern browser and still see the content of the config file.

View solution in original post

0 Kudos
1 Reply
BjornSvensson
by Esri Regular Contributor
Esri Regular Contributor
‎02-07-2014 03:23 PM
...how to "forbid" users to view configuration files? ... Is it possible?


No, not using IIS configuration. 

For user to be able to use an application (which is based on a config), then that config will have to be accessible by that application.  Technically, you could probably make it work by "hiding" the config file behind a proxy file or web application that would check the referrer of the application.

But even then, they could run the application in the browser and look at the web traffic using any of the built-in debugger tools of modern browser and still see the content of the config file.
0 Kudos