How To Protect Static Files In ASP.NET Web Forms With The Help Of HTTP Handle

I’ll start by explaining the problem I had when using web forms (ASPX).

My old web application was created in and put online using IIS 10. We have static files (PDF, JS, CSS, JSON, and all forms of pictures (jpg, png, BMP, etc.)) that are located in a subfolder on the website called data, for example, at When a person who is not authenticated accesses those files


e.g. or

Without requiring identification, the files will be shown. In other words, only authenticated users should have access to the pages.


The Default Behavior of IIS Requests for static content are handled by the IIS web server by default, but requests for ASP.NET resources are routed to the ASP.NET runtime. As a result, requests for static content are fulfilled regardless of the URL authorization guidelines specified in the setup of the ASP.NET application.

We don’t want this behavior because it could allow unauthorized people to view private information (if they know the direct URL). All it would take is for one of the site’s users to unintentionally post a direct link to the image on his blog or website, at which point search engines would find it and the image would become public knowledge.

What I want to know is how to have the ASP.NET engine handle requests for the static files in the data folder so that ASP.NET can authenticate the request and users can’t get files they aren’t supposed to have by deep linking to them.

There are other options, such as setting runAllManagedModulesForAllRequests=”true,” but nothing seems to work when I try to research this issue online. despite the fact that IIS is running my application in integrated mode.

I then learned about HTTPHandler. The Microsoft definition of HTTP Handler is provided below.

The ASP.NET architecture is fundamentally incomplete without HTTP modules and HTTP handlers. Each request is processed by various HTTP modules (such as the authentication module and the session module) while it is being processed, and each request is then processed by a single HTTP handler. The request flows back through the HTTP modules after being handled by the handler.

The ASP.NET web application server uses HTTPHandlers to handle particular requests based on extensions. In response to a request sent to the ASP.NET website, HTTPHandlers execute as processes. The System is implemented by this class.


  1. Create a class file — it could be FileProtectionHandler.cs
  2. Let FileProtectionHandler class inherit from IhttpHandler Interface.
  3. In FileProtectionHandler class, implement all the methods which are found in IhttpHandler Interface.

When a request is received, it first determines whether it is authorized or not; if not, it directs the user to the login page; otherwise, the requested file is sent according to the file extension.


using System;
using System.IO;
using System.Web;
namespace Example.UI {
    public class FileProtectionHandler: IHttpHandler {
        /// <summary>
        /// You will need to configure this handler in the Web.config file of your
        /// web and register it with IIS before being able to use it. For more information
        /// see the following link:
        /// </summary>
        #region IHttpHandler Members
        public bool IsReusable {
            // Return false in case your Managed Handler cannot be reused for another request.
            // Usually this would be false in case you have some state information preserved per request.
            get {
                return true;
        public void ProcessRequest(HttpContext context) {
            //write your handler implementation here.
            if (!context.User.Identity.IsAuthenticated) {
            } else {
                string requestedFile = context.Server.MapPath(context.Request.FilePath);
                SendContentTypeAndFile(context, requestedFile);
        private HttpContext SendContentTypeAndFile(HttpContext context, string strFile) {
            context.Response.ContentType = GetContentType(strFile);
            return context;
        private string GetContentType(string fileName) {
            string res = null;
            FileInfo fileInfo = new FileInfo(fileName);
            if (fileInfo.Exists) {
                switch (fileInfo.Extension.Remove(0, 1).ToLower()) {
                    case "pdf": {
                        res = "application/pdf";
                    case "gif": {
                        res = "image/gif";
            return res;


The next step is to register the HTTP handler in the Web.config file. Based on your IIS version, it should be added as a child of <system.web> or <system.webServer>. Refer here to register

  <add path="*.gif" verb="*" type="MyProject.FileProtectionHandler" validate="false" />
  <add path="*.png" verb="*" type="MyProject.FileProtectionHandler" validate="false" />
  <add path="*.jpg" verb="*" type="MyProject.FileProtectionHandler" validate="false" />
  <add path="*.js" verb="*" type="MyProject.FileProtectionHandler" validate="false" />
  <add path="*.svg" verb="*" type="MyProject.FileProtectionHandler" validate="false" />
  <add path="*.bmp" verb="*" type="MyProject.FileProtectionHandler" validate="false" />
  <add path="*.json" verb="*" type="MyProject.FileProtectionHandler" validate="false" />
  <add path="*.css" verb="*" type="MyProject.FileProtectionHandler" validate="false" />



That’s all. Now HTTP Handler is ready




Submit a Comment

Your email address will not be published. Required fields are marked *


Select Categories