✅ Prevent unauthorized access to WEB API folders and files within the folder.
In my .NET 6 Web API project, I have an UploadFiles folder where user-uploaded files are stored. Currently, anyone who knows the folder path or file URL can directly access the files in the browser, since static file middleware serves them without authentication or authorization.
I want to restrict access so that only authenticated users (or users with a signed/secure link) can download these files. Middleware like UseAuthentication and UseAuthorization doesn’t protect static file requests by default.
29 Replies
You'll need to drop static files for that path in favor of a controller.
Unknown User•2mo ago
Message Not Public
Sign In & Join Server To View
@TeBeCo @jcotton42 I gone through that process but problem is I'm using static file path in Program.cs I've to restrict that, only logged in users can access this . I can't remove this file path.
Unknown User•2mo ago
Message Not Public
Sign In & Join Server To View
My whole project is deployed on .NET 6 I can't upgrade to newer versions. I tired to verify with token before accessing resources, but while login toke is not provided and it always chech hence it is in Program.cs. so it is not going.
Static files in ASP.NET Core
Learn how to serve and secure static files and configure static file hosting middleware behaviors in an ASP.NET Core web app.
You can authorize access with
UseStaticFiles tooUnknown User•2mo ago
Message Not Public
Sign In & Join Server To View
Wdym can’t upgrade? It’s not getting security patches anymore.
Authorize By?
If authorizing with Token, token is not always provided (time of login). If authorize by IP. It is available to use for public.
Authorize by whatever you want
I'll try and come back.
How is this?
It can verify domain name. I'm allowing only client domain names.
If anyone comes with fake domain name. So, it will not allowed. it will give 401.
You're extracting the referer header, which may or may not be set at all.
Thats "where was this linked from", and you can easily spoof or override this value.
Is it possible without setting header request will send?
How this is possible.
Because I can make requests using curl, postman or similar tools
where I can manually set headers to whatever I want them to be
A "normal" user won't be spoofing or overriding these, but a malicious user 100% will be
yes, you can send a http request without the referrer header, its an optional header
Best option would be having API tokens, you can't spoof that with editing headers
Unknown User•2mo ago
Message Not Public
Sign In & Join Server To View
It is all about when frontend is ineracting with backend. I want to fix this issue when someone communicate with API without frontend.
for example this is my URL, http://localhost:9661/uploadFiles/sample.pdf anyone can access this file just by hitting backend.
After referring this document I understood that I've to disable server stsic files publically from IIS server. If I'm not wrong.
Yes
This is not possible to fully stop
I'll check coming request at IIS server level only. If it is coming through Controller I will allow it else I'll send 401. And I'll handle all the file upload and fetch via controller only.
Such protections are very easy to bypass
Just use a token or some other form of auth
Just to be clear, there is no way to fully limit a backend to only work/accept when called from a specific frontend. The frontend just does normal HTTP requests that can ALWAYS be spoofed or recreated.
there is no way to auth the fronend itself either, you auth the user.
Basically on account creation you give the user a token, and on requests check if a certain token should have access to certain content
As of now added folder rule in IIS Server for testing purpose.
last time i needed this i just used a custom controller to serve static files from a specific endpoint and used regular auth to control access
Do you have any sample code?
Unknown User•2mo ago
Message Not Public
Sign In & Join Server To View