1

I am using ASP.net Core 3.1 and trying to make appsettings.json inaccessible on the browser i.e. when I am typing https://myapp/appsettings.json, it's showing the contents of appsettings. I want to make it hide or block on the browser.

My solution explorer looks like this:

MyDeliveryWebSite

  • Properties
  • APIControllers
  • Models
  • Views
  • appsettings.json
  • Programs.cs
  • Startup.cs

My url is: https://mydeliveryapp.cloudappp.net/appsettings.json. The output will be complete appsettings file content which I need to hide or block in the browser. I already tried many things. I am not sure if I am missing something out.

I am expecting the appsettings.json file should not be exposed publicly on the browser.

Improve this question
3
  • Did you just use app.usestaticfiles() in startup? Commented Feb 1, 2023 at 9:04
  • Does your appsettings.json within views? Commented Feb 1, 2023 at 9:08
  • Are you calling appsettings.json within your controller? Otherthan, it shouldn't be exposed autometically. Please share more details. Commented Feb 1, 2023 at 9:17

2 Answers 2

Reset to default
0

One work around with a huge limitation is to use a web.config file which does not get added as the first file when it is a clean publish so app settings get exposed. I think the best way is to disable Directory Browsing all together in IIS.

Add this web.config file to root of the app.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.webServer>
        <directoryBrowse enabled="false" />
    </system.webServer>
</configuration>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

I have deployed ASP.Net Core 3.1 sample Application and tried to access the appsettings.json on the browser.

I am getting the below error.

enter image description here

  • The appsettings.json file has to be under site/wwwroot directory.

Deployed App Structure :

enter image description here

I have placed appsettings.json in the local wwwroot folder and published the app again.

Now, when I tried to access with the below URL,I am able to see the appsettings.json file.

NOTE : Make sure your appsettings.json file is in the root directory in local and site/wwwroot directory in Azure App Service.

If the appsettings.json is under local wwwroot, and if you deploy the app, the appsettings.json will be available under site/wwwroot/ wwwroot folder.

Which is the reason for appsettings.json accessible on the browser.

enter image description here

enter image description here

enter image description here

I want to make it hide or block on the browser.

Delete the appsettings.json file which is under site/wwwroot/wwwroot directory.

OR

In Local, delete the appsettings.json file which is in wwwroot directory and Publish the app again.

Improve this answer

1 Comment

I had no appsettings files in wwwroot to delete, and the appsettings file was still visible through the browser.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.