Hi,
Although "Low", during a Pen Testing for a customer, they flagged _BannedIPs.txt (being publicly accessible) as "Confidential Data Exposure".
I'm planning to handling this through web.config, but I wonder if there's either a standard way to do it OR if there should be?
BTW, we passed with flying colors. We had only "Low" remarks, most of which are configuration (i.e. Content-Security-Policy), non-applicable things (exposing the name "Dynamicweb" in /admin, basically telling potential offenders the app under the hood which they can then use to find known issues/weaknesses) or things we can't/won't act on (i.e. jQuery, Bootstrap and Modesto versions when accessing /admin [the backend - they did not check the backend, just the /admin page])
Best Regards,
Nuno Aguiar
