Preventing user from downloading your config.xml files using HttpForbiddenHandler in asp.net

So you have some config.xml files (other than web.config) and you want to give atleast "read" permisson to ASPNET/anonymous user. The downsize of giving "read" permisson is that now user can download your file directly from the browser i.e. lets say your file name is "websettings.xml" user can type http://yourserver/yoursite/yourfolder/websettings.xml and they will be able to download this file -

You can prevent this by using "System.Web.HttpForbiddenHandler" You can add an entry in your web.config file to prevent user from downloading this file.


<httphandlers>
<add verb="*"
path="yourfolder/websettings.xml" type="System.Web.HttpForbiddenHandler, System.Web" validate="true"/>
</httphandlers><>


All we are saying here is if there is any request coming for websettings.xml send this request to
HttpForbiddenHandler class which in turn will send "forbidden" HTTP status code to the browser.


Thanks Rahul for reminding me about this HttpForbiddenHandler in our last conversation.