Denying access to view XML, XSL Files


We all know that XML is a standard format most of the sites use for managing content. Most of the sites use xml for storing data and use XSL and other stylesheets for displaying the data.

The XML files can be browsed as well as a standard web page and the XML format is rendered in the browser.

However, if we would like to deny users from viewing our xml format and data by directly browsing the xml file, we can use the HTTP Handlers effectively.

The HTTP Handlers provide the flexibility to handle different extensions on how they are rendered and to deny access to them.

To deny access to an xml or other static file, the following steps would help

1. Add the following code to your web.config file within the <system.web> & </system.web> tags.

<add verb="*" path="*.xml" type="System.Web.HttpForbiddenHandler"/>

2. In the IIS, right click on your virtual directory and then click properties.

3. Click on the Configuration Button.

4. There will be a list of extensions and the executable paths.

5. Click "Add" and then in the dialog box which opens, browse the location
%windir%\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll in the "Executable" box

6. Enter the extension i.e. .xml for xml files in the textbox "Extension"

7. In the "Verbs" radio button, click on "Limit to" and enter "GET,HEAD,POST,DEBUG"

8. Cick "Ok" then click "Apply" and then "Ok" two times.

9. Now if you try to browse the xml file within that application, you will a "This type of page is not served".

10. The same can be accomplished at the system level by adding the Handlers in the machine.config's http handler section. That will apply for all the applications running on that system.

11. This method is useful when we want to restrict access for certain static files like the above example.

Comments are welcome.

Print | posted on Monday, April 25, 2005 7:39 AM

Comments on this post

# re: Denying access to view XML, XSL Files

Requesting Gravatar...
Quite inspiring,
Fantastic to block unwanted static files!

Thanks for bringing this up
Left by software development company on Oct 01, 2009 2:07 AM

# re: Denying access to view XML, XSL Files

Requesting Gravatar...
This is interesting. Does this mean you can eavesdrop with the conversations of people? If indeed we can, then this is scary. - Marla Ahlgrimm

Left by Marla Ahlgrimm on Mar 13, 2012 8:54 AM

# re: Denying access to view XML, XSL Files

Requesting Gravatar...
I try to use this same way to deny my xsl file but after update the xsl style not apply web pages. Please help me how can i all in my code level.
Left by Ram on May 01, 2014 1:02 AM

Your comment:

 (will show your gravatar)