Is it possible to have IIS (6 or 7.5) return a 404 Not Found
(instead of 403 Forbidden
) when a disallowed directory listing is requested?
A security scanning service I use thinks the 403 is revealing something "potentially sensitive", when in fact it's just not a valid URL. My workaround is to drop a default.aspx
into each directory that returns an empty 404 page, but there has to be a better way…
Best Answer
Sure. Configure a custom error message for 403.14 to run a simple ASP page that returns a 404 response code. 403.14 is the Status and subcode used for 'Directory listing denied'.