问题
In legacy ASP.NET applications, *.config files cannot be downloaded by navigating to the URL. But the new convention is to use appsettings.json. Now, if I have a ASP.NET Core website called contoso.com and it's served by IIS from a directory called C:\inetpub\websites\contoso.com, and there is a file located at C:\inetpub\websites\contoso.com\appsettings.json... Is IIS smart enough to know not to serve this file over HTTP if someone navigates to https://contoso.com/appsettings.json?
回答1:
Files are normally served from the "wwwroot" folder. The appsettings.json file is safe as long as you haven't configured C:\inetpub\websites\contoso.com\ to be your app's web root. By default, static files are found in C:\inetpub\websites\contoso.com\wwwroot\. I recommend this excellent doc: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files
By the way, unless configured otherwise, IIS doesn't even check the filesystem. It is actually ASP.NET Core that is going to ensure files are only served from the "wwwroot" folder. A typical ASP.NET Core website in IIS is actually running as a separate web server which IIS reverse proxies to via the ASP.NET Core Module. This means all requests are handled by ASP.NET Core. To serve static files, you have to use the static files middleware, which is available in the Microsoft.AspNetCore.StaticFiles package.
来源:https://stackoverflow.com/questions/43403337/is-appsettings-json-protected-by-iis