In this article, let’s have look at two middlewares – one for enabling directory browsing while the other for combining functionality of 3 middlewares into single one.
Directory Browser Middleware
Generally, directory browsing should be disabled on the web applications. It should be part of server hardening. Server hardening is the process of enabling or disabling server features to make the web servers more secure.
Security team generally provides a checklist mentioning all activities/ tasks which should be performed in order to harden the server. One of the task is to disable directory browsing. But still, sometimes directory browsing might be designed on the development machines.
In .NET Framework applications, there used to be a setting in web.config to enable or disable directory browsing. In .NET core (or .NET, as it is called now), it can be enabled via a middleware.
Enable the directory browsing by two steps:
- AddDirectoryBrowser in
Startup.ConfigureServices
. - UseDirectoryBrowser in
Startup.Configure
Create an ASP .NET Core web application (MVC) using visual studio. Then modify the Startup
class as shown in below snapshot.
Next, when the application is executed, the application would show a directory browser instead of rendering home/index view.
Use File Server
We have seen three different middlewares in recent posts
UseStaticFiles
, to serve static filesUseDefaultFiles
, to enable serving default documents when no resource is specified in URLUseDirectoryBrowser
, to enable browsing the directory
There is one middleware which combines functionality of these three middlewares – and it is UseFileServer.
- If this method is called without any parameters, then it will enable default file and static files middlewares functionality.
- Optionally, a parameter
enableDirectoryBrowsing: true
, to also enable the directory browsing.
Like StaticFileOptions, this file server middleware has FileServerOptions as parameter. It can be used to set the additional options for configuring static file middleware.
Security Consideration
Static files middleware and especially directory browser middleware help serving static files. Anything which is inside the web root directory (by default, web root is a wwwroot
directory {content-root}/wwwroot
).
If you keep any sensitive files (like files containing some key settings or passwords or secrets in such folder, those files would also be served by these middlewares. Hence when these middlewares are enabled, a security review should be performed to ensure that these middlewares are not leaking any important information.
I hope you find this information useful. Let me know your thoughts.