We are serving up files for our own application for download from web servers, including IIS. One such file has the .config
extension. Turns out that IIS won't serve this because it thinks it's a config file of its own. I'm thinking of using just .configuration
instead. Will this be OK? Is there a list of 'forbidden' extensions for serving from IIS?
Iis – Which file extensions are always going to be OK with IIS
configurationiisweb-server
Related Topic
- IIS 7.5 Optimization for Static Content – How to Optimize IIS 7.5 for Static Content
- Iis – ASP.NET custom configuration section declaration breaks IIS Manager Configuration Editor
- Iis – Can’t serve files without extension because they “appear to be script” on IIS7.5
- Iis – Serving .APK file from IIS 8
- Windows – Can’t find IIS config file listed by appcmd
Best Answer
Yes there is a list of extensions to block called Request Filtering, you can run: appcmd list config -section:system.webServer/security/requestFiltering you will see something like: ... ...
in my Windows 7 machine the list includes:
.asa,.asax,.ascx,.master,.skin,.browser,.sitemap, .config,.cs,
.csproj,.vb,.vbproj,.webinfo,.licx,.resx, .resources,.mdb,.vjsproj,
.java,.jsl,.ldb,.dsdgm,.ssdgm, .lsad,.ssmap,.cd,.dsprototype,
.lsaprototype,.sdm, .sdmDocument,.mdf,.ldf,.ad,.dd,.ldd,.sd,
.adprototype, .lddprototype,.exclude,.refresh,.compiled,.msgx,.vsdisco
Note that you can also within your application specify more extensions or allow other extensions that might not otherwise be allowed by using a web.config inside your folder.
Warning do not do this since .config files could include sensitive information.
For example, if you drop a web.config inside your application with the following contents it will let users download .config files:
For more info see: http://www.iis.net/configReference/system.webServer/security/requestFiltering
Finally, if you are going to use some random extension, you need to make sure that IIS also knows what mime type to use and know the extension that you will use if you want to allow static file downloads, and that needs to be inside the staticContent section (appcmd list config -section:system.webServer/staticContent). You can also configure this inside web.config just as above.