My website is allowing the web.config file to be downloaded. However in my C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config file I have this line
<add path="*.config" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
Which should mean any config file can't be downloaded.
What am I missing?
It's not really a solution but more of a work around: I ended up setting the file to "hidden" in windows and encrypting the web.config...just in case.
By setting it to hidden the webserver does not serve it up but it can still be used by the asp.net application to run.