ASP.NET Core Shared Folder Security

TL;DR

Files placed in the Pages/Shared folder of an ASP.NET Core project are potentially publicly accessible by default, unless specifically protected. This guide explains how to prevent this and secure your application.

Solution Guide

1. Understand the Default Behaviour
   • ASP.NET Core Razor Pages automatically serve files from the wwwroot folder as static content.
   • The Pages/Shared folder, while intended for partial views and layouts, is often accessible via direct URL requests if not configured correctly. This is because it’s within the application root which is served by the web server.
2. Option 1: Prevent Direct Access via Routing (Recommended)

   The best approach is to ensure no routes are defined that directly map to files in Pages/Shared.

   • ASP.NET Core automatically creates routes for Razor Pages based on the folder structure. However, it doesn’t create routes for arbitrary files within those folders unless explicitly configured.
   • Double-check your Program.cs file (or equivalent startup code) to ensure you haven’t accidentally added a route that exposes this folder. Look for any calls to app.UseRouting() followed by app.UseEndpoints() and examine the endpoint definitions.
3. Option 2: Use Authentication/Authorisation

   If you *need* files in Pages/Shared to be served (e.g., for dynamically generated content), protect them with authentication and authorisation.

   • Add an Authorise attribute to any controller action or Razor Page that renders the file.

     [Authorize]
     public IActionResult MyPage() {
       // Render the shared view here
     }

   • Configure authentication in your Program.cs (or equivalent). This typically involves setting up a cookie-based or token-based authentication scheme.

     builder.Services.AddAuthentication().AddCookie(options => {
       options.LoginPath = "/Identity/Account/Login";
     });

4. Option 3: Move Sensitive Files

   If the files are truly sensitive and don’t need to be served directly, move them outside of the wwwroot folder entirely.

   • Store these files in a secure location on the server.
   • Access them through controller actions that perform appropriate checks (e.g., file type validation, access control) before streaming the content to the user.

     [Authorize]
     public IActionResult DownloadFile() {
       string filePath = "/secure_location/my_file.pdf";
       // Perform security checks here...
       var stream = new FileStream(filePath, FileMode.Open);
       return File(stream, "application/pdf", "my_file.pdf");
     }

5. Option 4: Web Server Configuration (Advanced)

   Configure your web server (e.g., IIS, Nginx, Apache) to explicitly deny access to the Pages/Shared folder.

   • This is a more complex option and requires understanding of your web server’s configuration files.
   • For example, in IIS you could use URL Rewrite rules or directory security settings.
6. Testing

   After implementing any of these solutions, thoroughly test to ensure the files are no longer accessible directly via a web browser.

   • Try accessing the file using its direct URL (e.g., https://yourdomain.com/Pages/Shared/myfile.cshtml). You should receive an error message (e.g., 403 Forbidden, 404 Not Found) if the protection is working correctly.