Protect non-Kentico folder

Celero Solutions asked on September 4, 2014 17:24

Hi, We need to place a folder within a Kentico site folder that contains html files. A link to the files will be placed on a secure page within Kentico. Is there anyway to protect those pages if a user attempts to access the files directly should they know the URL? i.e.

Recent Answers

Charles Matvchuk answered on September 4, 2014 17:37

Yes, put a web.config file in that directory and set your authorizations accordingly.

You could just also import the files into Kentico and that way you control all the security from within Kentico.

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on September 4, 2014 20:49

I'd agree with Charles, although I'd steer away from the standard web.config simply because it involves a bit extra work if something changes. With the media library you can control security from the UI using the roles and such without having to gain access to the file system.

0 votesVote for this answer Mark as a Correct answer

Celero Solutions answered on September 10, 2014 23:37

Hi, I created a media library called Manuals and added the folder and all the folders, html files, images files to the media library. Then on the security tab I selected "Nobody" for all the options. I created a link to one of the HTML files from the media library on a content page called "Details". I then started a browser sesseion by logging in as a different user. I logged in as person who was not a member of that role that was applied to the "Details" page.(the site uses windows auth) I then entered the URL that was used in that link directly in the address of the browser and was able to get to the html page. i.e. I expected since "Nobody" was set in the security that I wouldn't be able to get to it if this in fact protects the files. Or am I doing something wrong?

0 votesVote for this answer Mark as a Correct answer

Martin Danko answered on October 17, 2014 15:44


This isn't correct. You are setting the permissions for the Users that are accessing the file via Administration interface of the application. As the files are stored physically on the file system of your server, it's possible to access them also directly via URL, that's the reason why Media library is by default accessing the files via GUID and not using permanent path. The access to physical files could be restricted on the IIS side via web.config file, e.g.:

How to block access with a web.config file?

Best regards, Martin

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.