We have a website, with a file:
www.example.com/apis/httpapi.asp
This file is used by the site internally to make requests joining two systems on the website together (one is Classic ASP, the other ASP.net). However, we do not want the public to be able to access the file.
In IIS7.5, is there a setting I can do to make this file internal only? I've tried rewriting the URL for it but this rewrite is also applied internally so the scripts stop working as they fetch the rewritten url.
Thanks for any help!
There are a few ways ... IP Restrictions, URL Rewrite, protection within code. But the best and safest is probably to remove Read access to the file.
If you can change the file type to .inc, that will essentially block it. Another way is to put it in a read-only folder that has read access removed. Or, you can do it for the one file. The only concern with doing it for the one file is that if it's renamed in the future (someone forgets), then it won't be blocked anymore.
In IIS7.x the way to remove read access is under Handler Mappings -> Edit Feature Permissions.
You can have the ASP script itself inspect the requests it receives for the IP address (
REMOTE_ADDR) and pass through only requests made from valid internal addresses.