More on protecting static Resources with ASP.NET 2.0

I forgot to mention that there are also special directories in ASP.NET that generally cannot be browsed, e.g. App_Data and App_Code (there are more). App_Data seems to be the “designated” directory to put files that should under no circumstances be downloadable (e.g. file deployed SQL server databases).

Yesterday I showed the HttpForbiddenHandler which will emit a HTTP 403 – this leaks information, namely that the file exists but the client is not authorized to view it, better would be to generate a generic 404 (not found) status code.

Here – they suggest to use the HttpNotFoundHandler. Unfortunately this handler is internal and cannot be used by your code (at least on RC1). It is easy to write your own handler to accomplish the same task.

public class NotFoundHandler : IHttpHandler


  public bool IsReusable


    get { return true; }



  public void ProcessRequest(HttpContext context)


    throw new HttpException(404, context.Request.Path + ” not found”);



Put that e.g. in App_Code and add the following to web.config:


  <add path=*.xml verb=* type=NotFoundHandler, App_Code validate=True />


When you now try to browse a .xml file, you will get a nice generic “the resource cannot be found”.

UPDATE: HttpNotFoundHandler is internal and cannot be used from end-user code, nevetheless it can be used in config. So i was wrong.


This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s