asp.net.netasp.net-mvc-sitemap

ASP.NET web app returns 404 for URLs ending with ".sitemap"


Our web service provides API similar to this: "/api/<customer-provided name>?parameter=".

This API returns 404 without hitting our code if customer uses any values ending with ".sitemap". There is nothing in our codebase which does anything special for this particular suffix.

Our hypothesis is that it can be related to ASP.NET Site-Map Security Trimming: https://learn.microsoft.com/en-us/previous-versions/aspnet/ms178428(v=vs.100)

Any ideas how to disable it (i.e. allow customers to use values ending with ".sitemap")?


Solution

  • Turned out to be default ASP.NET behavior of blocking URL endings which represent some well known file extensions (.sitemap, .cs, and many more).

    Adding the following fileExtensions section fixed it:

    <security>
      <requestFiltering>
        <fileExtensions allowUnlisted="true">
          <clear />
        </fileExtensions>
      </requestFiltering>
    </security>