Forbid web.config page from the browser as in

Francis Daly francis at
Thu Nov 12 14:43:43 UTC 2020

On Thu, Nov 12, 2020 at 07:17:46PM +0530, Kaushal Shriyan wrote:

Hi there,

> I am running the Nginx version: nginx/1.16.1 on CentOS Linux release
> 7.8.2003 (Core). I am trying to forbid/prevent web.config file to
> download it from the browser. When I hit
> it is allowing me to download instead of
> forbidding the page ( 403 Forbidden).

When I use this config, it works for me (I get the http 403 response).

Are you sure that the config file with this server{} block is read by
your running nginx?

Are there any other server{} blocks with the same (implicit) "listen"
directive, that might mean that this server{} block is never used?

What do you get if you do

  curl -i -H Host:_ http://your-server/web.config

where the "Host:_" part is an attempt to match the server_name that you
set in this server{} block.

(Change "your-server" to be a name or IP that your client can use to get
at the web service.)


Francis Daly        francis at

More information about the nginx mailing list