Closed blairlearn closed 3 years ago
I propose we remove bin from IIS' list of hidden segments. The API has no bin directory anyhow, so this isn't actually protecting anything. (Unlike web forms applications, the API's binaries and configuration files aren't intermixed with content files. Content, such as the build-info.json
is served from a separate wwwroot directory, a level below the code which implements the API.)
The default list of hidden items is
Aside from bin, the rest seem unlikely search terms.
Issue description
Searching for terms beginning with 'bin' (e.g. https://webapis.cancer.gov/glossary/v1/Terms/search/Cancer.gov/Patient/en/bin?matchType=Begins&size=100) result in a 404 response instead of a search.
This is because of "bin" appearing as a path fragment. In order to prevent sensitive files (e.g. configuration data and binaries) from being exposed on the web, IIS defaults to disallowing URLs with "bin" as one of the fragments.
This also applies to autosuggest. e.g. https://webapis.cancer.gov/glossary/v1/Autosuggest/Cancer.gov/Patient/en/bin?matchType=Begins&size=20
Steps to reproduce the issue
What's the expected result?
What's the actual result?
Additional details / screenshot
Related Tickets