preCharge Forums - View Single Post - Can a user browsing my web site read my web.config or Global.asax files?

Nazir · 08-03-2006

No. The <HTTPHANDLERS>section of Machine.config, which holds the master configuration settings for ASP.NET, contains entries that map ASAX files, CONFIG files, and selected other file types to an HTTP handler named HttpForbiddenHandler, which fails attempts to retrieve the associated file. You can modify it by editing Machine.config or including an section in a local Web.config file.

Here are the relevant statements in Machine.config:
<add verb="*" path="*.asax" type="System.Web.HttpForbiddenHandler, ... />
<add verb="*" path="*.config" type="System.Web.HttpForbiddenHandler, ... />

08-03-2006	#2 (permalink)
Nazir Member Join Date: Jul 2006 Age: 48 Posts: 45	Re: Can a user browsing my web site read my web.config or Global.asax files? No. The <HTTPHANDLERS>section of Machine.config, which holds the master configuration settings for ASP.NET, contains entries that map ASAX files, CONFIG files, and selected other file types to an HTTP handler named HttpForbiddenHandler, which fails attempts to retrieve the associated file. You can modify it by editing Machine.config or including an section in a local Web.config file. Here are the relevant statements in Machine.config: <add verb="" path=".asax" type="System.Web.HttpForbiddenHandler, ... /> <add verb="" path=".config" type="System.Web.HttpForbiddenHandler, ... />