Directory Browser And File Server Middlewares In .NET Web Apps
.NET Middlewares Directory Browser and Use File Server

Directory Browser And File Server Middlewares In .NET Web Apps

In this article, let’s have look at two middlewares – one for enabling directory browsing while the other for combining functionality of 3 middlewares into single one.

Directory Browser Middleware

Generally, directory browsing should be disabled on the web applications. It should be part of server hardening. Server hardening is the process of enabling or disabling server features to make the web servers more secure.

Security team generally provides a checklist mentioning all activities/ tasks which should be performed in order to harden the server. One of the task is to disable directory browsing. But still, sometimes directory browsing might be designed on the development machines.

In .NET Framework applications, there used to be a setting in web.config to enable or disable directory browsing. In .NET core (or .NET, as it is called now), it can be enabled via a middleware.

Enable the directory browsing by two steps:

Create an ASP .NET Core web application (MVC) using visual studio. Then modify the Startup class as shown in below snapshot.

// Create an ASP .NET Core Web Application (MVC)
// Configure AddDirectoryBrowser and UseDirectoryBrowser as shown below
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
// Enable middleware dependencies
services.AddDirectoryBrowser();
services.AddControllersWithViews();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
// Configure Middelware in the pipeline
app.UseDirectoryBrowser();
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
}
view raw Startup.cs hosted with ❤ by GitHub

Next, when the application is executed, the application would show a directory browser instead of rendering home/index view.

ASP .NET Core Web App with Directory Browsing Enabled
ASP .NET Core Web App with Directory Browsing Enabled

Use File Server

We have seen three different middlewares in recent posts

  • UseStaticFiles, to serve static files
  • UseDefaultFiles, to enable serving default documents when no resource is specified in URL
  • UseDirectoryBrowser, to enable browsing the directory

There is one middleware which combines functionality of these three middlewares – and it is UseFileServer.

  • If this method is called without any parameters, then it will enable default file and static files middlewares functionality.
  • Optionally, a parameter enableDirectoryBrowsing: true, to also enable the directory browsing.

Like StaticFileOptions, this file server middleware has FileServerOptions as parameter. It can be used to set the additional options for configuring static file middleware.

public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts();
}
app.UseHttpsRedirection();
/* ==============================================================
* Three middlewares to be combined together in single middleware
* ==============================================================
* app.UseDefaultFiles();
* app.UseStaticFiles();
* app.UseDirectoryBrowser();
*/
app.UseFileServer(enableDirectoryBrowsing: true);
/* ==============================================================
* Pass FileServerOptions to UseFileServer
* ==============================================================
* string imagesFolderPath = Path.Combine(env.ContentRootPath, "Images");
* app.UseFileServer(new FileServerOptions()
* {
* FileProvider = new PhysicalFileProvider(imagesFolderPath),
* RequestPath = "/images",
* });
*/
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
}
view raw Startup.cs hosted with ❤ by GitHub

Security Consideration

Static files middleware and especially directory browser middleware help serving static files. Anything which is inside the web root directory (by default, web root is a wwwroot directory {content-root}/wwwroot).

If you keep any sensitive files (like files containing some key settings or passwords or secrets in such folder, those files would also be served by these middlewares. Hence when these middlewares are enabled, a security review should be performed to ensure that these middlewares are not leaking any important information.

I hope you find this information useful. Let me know your thoughts.

Leave a Reply