C#•4mo ago

✅ Prevent unauthorized access to WEB API folders and files within the folder.

In my .NET 6 Web API project, I have an UploadFiles folder where user-uploaded files are stored. Currently, anyone who knows the folder path or file URL can directly access the files in the browser, since static file middleware serves them without authentication or authorization.

I want to restrict access so that only authenticated users (or users with a signed/secure link) can download these files. Middleware like UseAuthentication and UseAuthorization doesn’t protect static file requests by default.

jcotton42•9/1/25, 4:02 AM

You'll need to drop static files for that path in favor of a controller.

Jjcotton42 You'll need to drop static files for that path in favor of a controller.

TeBeCo•9/1/25, 4:39 AM

mapstaticfile added authorization in net9 in case that's suitable here

SSpirit Flying In my .NET 6 Web API project, I have an UploadFiles folder where user-uploaded f...

TeBeCo•9/1/25, 4:39 AM

nothing is protected by default until you tell the app it's protected

TeBeCo•9/1/25, 4:39 AM

the fact that you're using net6.0 is why you're struggling

TeBeCo•9/1/25, 4:40 AM

this has been addressed in modern versions

Spirit FlyingOP•9/1/25, 5:07 AM

@TeBeCo @jcotton42 I gone through that process but problem is I'm using static file path in Program.cs I've to restrict that, only logged in users can access this . I can't remove this file path.

TeBeCo•9/1/25, 5:12 AM

as i said, you need to update to net9

TeBeCo•9/1/25, 5:13 AM

and replace UseStaticFile with MapStaticFiles

TeBeCo•9/1/25, 5:13 AM

net6 is out of support

TeBeCo•9/1/25, 5:14 AM

else you have to do like JCotton said, create your own controller that read all file one by one + authorization <=== really not recommended in the long run

TeBeCo•9/1/25, 5:14 AM

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/map-static-files?view=aspnetcore-9.0

Map static files in ASP.NET Core

Learn how to serve and secure mapped static files and configure static file hosting middleware behaviors in an ASP.NET Core web app.

TeBeCo•9/1/25, 5:14 AM

Spirit FlyingOP•9/1/25, 5:17 AM

My whole project is deployed on .NET 6 I can't upgrade to newer versions. I tired to verify with token before accessing resources, but while login toke is not provided and it always chech hence it is in Program.cs. so it is not going.

Angius•9/1/25, 5:18 AM

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-9.0#static-file-authorization

Static files in ASP.NET Core

Learn how to serve and secure static files and configure static file hosting middleware behaviors in an ASP.NET Core web app.

Angius•9/1/25, 5:18 AM

You can authorize access with

UseStaticFiles

UseStaticFiles

too

SSpirit Flying My whole project is deployed on .NET 6 I can't upgrade to newer versions. I tire...

TeBeCo•9/1/25, 5:18 AM

this wont change net6 died 1 year ago

SSpirit Flying My whole project is deployed on .NET 6 I can't upgrade to newer versions. I tire...

jcotton42•9/1/25, 5:20 AM

Wdym can’t upgrade? It’s not getting security patches anymore.

AAngius https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=asp...

Spirit FlyingOP•9/1/25, 5:21 AM

Authorize By?
If authorizing with Token, token is not always provided (time of login). If authorize by IP. It is available to use for public.

Angius•9/1/25, 5:21 AM

Authorize by whatever you want

Spirit FlyingOP•9/1/25, 5:22 AM

I'll try and come back.

Spirit FlyingOP•9/1/25, 6:57 AM

How is this?

Spirit FlyingOP•9/1/25, 6:58 AM

It can verify domain name. I'm allowing only client domain names.

Spirit FlyingOP•9/1/25, 7:01 AM

If anyone comes with fake domain name. So, it will not allowed. it will give 401.

Pobiega•9/1/25, 7:47 AM

You're extracting the referer header, which may or may not be set at all.

Pobiega•9/1/25, 7:48 AM

Thats "where was this linked from", and you can easily spoof or override this value.

PPobiega You're extracting the referer header, which may or may not be set at all.

Spirit FlyingOP•9/1/25, 8:21 AM

Is it possible without setting header request will send?

PPobiega Thats "where was this linked from", and you can easily spoof or override this va...

Spirit FlyingOP•9/1/25, 8:22 AM

How this is possible.

Pobiega•9/1/25, 8:51 AM

Because I can make requests using curl, postman or similar tools

Pobiega•9/1/25, 8:51 AM

where I can manually set headers to whatever I want them to be

Pobiega•9/1/25, 8:51 AM

A "normal" user won't be spoofing or overriding these, but a malicious user 100% will be

SSpirit Flying Is it possible without setting header request will send?

Pobiega•9/1/25, 8:52 AM

yes, you can send a http request without the referrer header, its an optional header

Mąż Zuzanny Harmider Szczęście•9/1/25, 12:37 PM

Best option would be having API tokens, you can't spoof that with editing headers

TeBeCo•9/1/25, 1:26 PM

yeah a

Referer

Referer

check is potentially useless against ... any tool that is not a browser from a non-tech person

TeBeCo•9/1/25, 1:27 PM

which mean that anyone trying to access the data is ... techniical, and any of their attempt would bypass that check

Spirit FlyingOP•9/2/25, 3:47 AM

It is all about when frontend is ineracting with backend. I want to fix this issue when someone communicate with API without frontend.

Spirit FlyingOP•9/2/25, 3:50 AM

for example this is my URL, http://localhost:9661/uploadFiles/sample.pdf anyone can access this file just by hitting backend.

AAngius https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=asp...

Spirit FlyingOP•9/2/25, 4:09 AM

After referring this document I understood that I've to disable server stsic files publically from IIS server. If I'm not wrong.

Pobiega•9/2/25, 5:32 AM

Yes

SSpirit Flying It is all about when frontend is ineracting with backend. I want to fix this iss...

Pobiega•9/2/25, 5:33 AM

This is not possible to fully stop

Spirit FlyingOP•9/2/25, 5:58 AM

I'll check coming request at IIS server level only. If it is coming through Controller I will allow it else I'll send 401. And I'll handle all the file upload and fetch via controller only.

SSpirit Flying for example this is my URL, http://localhost:9661/uploadFiles/sample.pdf anyone ...

Mąż Zuzanny Harmider Szczęście•9/2/25, 6:20 AM

Such protections are very easy to bypass

Mąż Zuzanny Harmider Szczęście•9/2/25, 6:20 AM

Just use a token or some other form of auth

Pobiega•9/2/25, 6:22 AM

Just to be clear, there is no way to fully limit a backend to only work/accept when called from a specific frontend. The frontend just does normal HTTP requests that can ALWAYS be spoofed or recreated.

Pobiega•9/2/25, 6:22 AM

there is no way to auth the fronend itself either, you auth the user.

Mąż Zuzanny Harmider Szczęście•9/2/25, 6:34 AM

Basically on account creation you give the user a token, and on requests check if a certain token should have access to certain content

Spirit FlyingOP•9/2/25, 10:06 AM

As of now added folder rule in IIS Server for testing purpose.