Split static files and MapStaticFiles into 2 doc /1 (#34924)

Rick-Anderson · guardrex · web-flow · commit 290a862ec66f · 2025-03-17T19:41:18.000Z
* Split static files and MapStaticFiles into 2 doc /1

* Split static files and MapStaticFiles into 2 doc /1

* Split static files and MapStaticFiles into 2 doc /1

* Split static files and MapStaticFiles into 2 doc /1

* Split static files and MapStaticFiles into 2 doc /1

* Split static files and MapStaticFiles into 2 doc /1

* Split static files and MapStaticFiles into 2 doc /1

* Split static files and MapStaticFiles into 2 doc /1

* work

* work

* work

* Apply suggestions from code review

Co-authored-by: Luke Latham &lt;1622880+guardrex@users.noreply.github.com&gt;

* react to feedback/final tasks

* react to feedback/final tasks

* react to feedback/final tasks

---------

Co-authored-by: Luke Latham &lt;1622880+guardrex@users.noreply.github.com&gt;
diff --git a/aspnetcore/fundamentals/static-files.md b/aspnetcore/fundamentals/static-files.md
@@ -1,16 +1,15 @@
 ---
-title: Static files in ASP.NET Core
+title: Map static files in ASP.NET Core
 author: rick-anderson
-description: Learn how to serve and secure static files and configure static file hosting middleware behaviors in an ASP.NET Core web app.
-monikerRange: '>= aspnetcore-3.1'
+description: Learn how to serve and secure mapped static files and configure static file hosting middleware behaviors in an ASP.NET Core web app.
+monikerRange: '>= aspnetcore-8.0'
 ms.author: riande
 ms.custom: mvc
-ms.date: 7/25/2024
-uid: fundamentals/static-files
+ms.date: 3/18/2025
+uid: fundamentals/map-static-files
 ---
-# Static files in ASP.NET Core
 
-[!INCLUDE[](~/includes/not-latest-version.md)]
+# Map static files in ASP.NET Core
 
 :::moniker range=">= aspnetcore-9.0"
 
@@ -53,8 +52,28 @@ Creating performant web apps requires optimizing asset delivery to the browser.
 * Integrates the information gathered about static web assets during the build and publish process with a runtime library that processes this information to optimize file serving to the browser.
 * Are routing endpoint conventions that optimize the delivery of static assets in an app. It's designed to work with all UI frameworks, including Blazor, Razor Pages, and MVC.
 
-[`UseStaticFiles`](/dotnet/api/microsoft.aspnetcore.builder.staticfileextensions.usestaticfiles) also serves static files, but it doesn't provide the same level of optimization as `MapStaticAssets`. For a comparison of  `UseStaticFiles` and `MapStaticAssets`, see [Optimizing static web asset delivery
-](xref:aspnetcore-9#optimizing-static-web-asset-delivery).
+### `MapStaticAssets` versus `UseStaticFiles`
+
+<xref:Microsoft.AspNetCore.Builder.StaticAssetsEndpointRouteBuilderExtensions.MapStaticAssets%2A> is available in ASP.NET Core in .NET 9.0 and later. <xref:Microsoft.AspNetCore.Builder.StaticFileExtensions.UseStaticFiles%2A> must be used in versions prior to .NET 9.0.
+
+<xref:Microsoft.AspNetCore.Builder.StaticFileExtensions.UseStaticFiles%2A> serves static files, but it doesn't provide the same level of optimization as `MapStaticAssets`. `MapStaticAssets` is optimized for serving assets that the app has knowledge of at runtime. If the app serves assets from other locations, such as disk or embedded resources, `UseStaticFiles` should be used.
+
+The following features are supported in `UseStaticFiles` but not in `MapStaticAssets`:
+
+* [Serving files from disk or embedded resources, or other locations](xref:fundamentals/static-files#serve-files-from-multiple-locations)
+* [Serve files outside of web root](xref:fundamentals/static-files#serve-files-outside-of-web-root)
+* [Set HTTP response headers](xref:fundamentals/static-files#set-http-response-headers)
+* [Directory browsing](xref:fundamentals/static-files#directory-browsing)
+* [Serve default documents](xref:fundamentals/static-files#serve-default-documents)
+* [`FileExtensionContentTypeProvider`](xref:fundamentals/static-files#fileextensioncontenttypeprovider)
+* [Serve files from multiple locations](xref:fundamentals/static-files#serve-files-from-multiple-locations)
+* [Serving files from disk or embedded resources, or other locations](xref:fundamentals/static-files#serve-files-from-multiple-locations)
+* [Serve files outside of web root](xref:fundamentals/static-files#serve-files-outside-of-web-root)
+* [Set HTTP response headers](xref:fundamentals/static-files#set-http-response-headers)
+* [Directory browsing](xref:fundamentals/static-files#directory-browsing)
+* [Serve default documents](xref:fundamentals/static-files#serve-default-documents)
+* [`FileExtensionContentTypeProvider`](xref:fundamentals/static-files#fileextensioncontenttypeprovider)
+* [Serve files from multiple locations](xref:fundamentals/static-files#serve-files-from-multiple-locations)
 
 ### Serve files in web root
 
@@ -92,7 +111,7 @@ The following markup references `MyStaticFiles/images/red-rose.jpg`:
 <!-- zz test via /Home2/MyStaticFilesRR -->
 [!code-html[](~/fundamentals/static-files/samples/9.x/StaticFilesSample/Views/Home2/MyStaticFilesRR.cshtml?range=1)]
 
-To serve files from multiple locations, see [Serve files from multiple locations](#serve-files-from-multiple-locations).
+To serve files from multiple locations, see [Serve files from multiple locations](xref:fundamentals/static-files#serve-files-from-multiple-locations).
 
 ### Set HTTP response headers
 
@@ -104,154 +123,12 @@ The preceding code makes static files publicly available in the local cache for
 
 ## Static file authorization
 
-The ASP.NET Core templates call <xref:Microsoft.AspNetCore.Builder.StaticAssetsEndpointRouteBuilderExtensions.MapStaticAssets%2A> before calling <xref:Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.UseAuthorization%2A>. Most apps follow this pattern. When the Static File Middleware is called before the authorization middleware:
+The ASP.NET Core templates call <xref:Microsoft.AspNetCore.Builder.StaticAssetsEndpointRouteBuilderExtensions.MapStaticAssets%2A> before calling <xref:Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.UseAuthorization%2A>. Most apps follow this pattern. When `MapStaticAssets` is called before the authorization middleware:
 
   * No authorization checks are performed on the static files.
   * Static files served by the Static File Middleware, such as those under `wwwroot`, are publicly accessible.
   
-To serve static files based on authorization:
-
-  * Store them outside of `wwwroot`.
-  * Call `UseStaticFiles`, specifying a path, after calling `UseAuthorization`.
-  * Set the [fallback authorization policy](xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.FallbackPolicy).
-
-<!-- ~/fundamentals/static-files/samples/8.x/StaticFileAuth is a different app that ~/fundamentals/static-files/samples/6.x/StaticFileAuth -->
-[!code-csharp[](~/fundamentals/static-files/samples/6.x/StaticFileAuth/Program.cs?name=snippet_auth&highlight=18-23,38,45-50)]
-  
-  In the preceding code, the fallback authorization policy requires ***all*** users to be authenticated. Endpoints such as controllers, Razor Pages, etc that specify their own authorization requirements don't use the fallback authorization policy. For example, Razor Pages, controllers, or action methods with `[AllowAnonymous]` or `[Authorize(PolicyName="MyPolicy")]` use the applied authorization attribute rather than the fallback authorization policy.
-
-  <xref:Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder.RequireAuthenticatedUser%2A> adds <xref:Microsoft.AspNetCore.Authorization.Infrastructure.DenyAnonymousAuthorizationRequirement> to the current instance, which enforces that the current user is authenticated.
-
-  Static assets under `wwwroot` are publicly accessible because the default Static File Middleware (`app.UseStaticFiles();`) is called before `UseAuthentication`. Static assets in the ***MyStaticFiles*** folder require authentication. The [sample code](https://github.com/dotnet/AspNetCore.Docs/tree/main/aspnetcore/fundamentals/static-files/samples/8.x) demonstrates this.
-
-An alternative approach to serve files based on authorization is to:
-
-* Store them outside of `wwwroot` and any directory accessible to the Static File Middleware.
-* Serve them via an action method to which authorization is applied and return a <xref:Microsoft.AspNetCore.Mvc.FileResult> object:
-
-
-  [!code-csharp[](~/fundamentals/static-files/samples/6.x/StaticFileAuth/Pages/BannerImage.cshtml.cs?name=snippet)]
-
-The preceding approach requires a page or endpoint per file. The following code returns files or uploads files for authenticated users:
-
-:::code language="csharp" source="~/fundamentals/static-files/samples/9.x/StaticFileAuth/Program.cs" id="snippet_1":::
-
-IFormFile in the preceding sample uses memory buffer for uploading. For handling large file use streaming. See [Upload large files with streaming](xref:mvc/models/file-uploads#upload-large-files-with-streaming).
-
-See the [StaticFileAuth](https://github.com/dotnet/AspNetCore.Docs/tree/main/aspnetcore/fundamentals/static-files/samples/9.x/StaticFileAuth) GitHub folder for the complete sample.
-
-## Directory browsing
-
-Directory browsing allows directory listing within specified directories.
-
-Directory browsing is disabled by default for security reasons. For more information, see [Security considerations for static files](#security-considerations-for-static-files).
-
-Enable directory browsing with <xref:Microsoft.Extensions.DependencyInjection.DirectoryBrowserServiceExtensions.AddDirectoryBrowser%2A> and <xref:Microsoft.AspNetCore.Builder.DirectoryBrowserExtensions.UseDirectoryBrowser%2A>:
-
-[!code-csharp[](~/fundamentals/static-files/samples/9.x/StaticFilesSample/Program.cs?name=snippet_db&highlight=9,23-37)]  
-
-<!-- Select RP Home > Directory browsing -->
-The preceding code allows directory browsing of the *wwwroot/images* folder using the URL `https://<hostname>/MyImages`, with links to each file and folder:
-
-![directory browsing](~/fundamentals/static-files/_static/dir-browse.png)
-
-`AddDirectoryBrowser` [adds services](https://github.com/dotnet/aspnetcore/blob/fc4e391aa58a9fa67fdc3a96da6cfcadd0648b17/src/Middleware/StaticFiles/src/DirectoryBrowserServiceExtensions.cs#L25) required by the directory browsing middleware, including <xref:System.Text.Encodings.Web.HtmlEncoder>. These services may be added by other calls, such as <xref:Microsoft.Extensions.DependencyInjection.MvcServiceCollectionExtensions.AddRazorPages%2A>, but we recommend calling `AddDirectoryBrowser` to ensure the services are added in all apps.
-
-## Serve default documents
-
-<!-- Comment out  @*@page*@  default RP file -->
-
-Setting a default page provides visitors a starting point on a site. To serve a default file from `wwwroot` without requiring the request URL to include the file's name, call the <xref:Microsoft.AspNetCore.Builder.DefaultFilesExtensions.UseDefaultFiles%2A> method:
-
-[!code-csharp[](~/fundamentals/static-files/samples/9.x/StaticFilesSample/Program.cs?name=snippet_df&highlight=16)]  
-
-`UseDefaultFiles` must be called before `UseStaticFiles` to serve the default file. `UseDefaultFiles` is a URL rewriter that doesn't serve the file.
-
-With `UseDefaultFiles`, requests to a folder in `wwwroot` search for:
-
-* `default.htm`
-* `default.html`
-* `index.htm`
-* `index.html`
-
-The first file found from the list is served as though the request included the file's name. The browser URL continues to reflect the URI requested. For example, in the [sample app](https://github.com/dotnet/AspNetCore.Docs/tree/main/aspnetcore/fundamentals/static-files/samples/9.x/StaticFilesSample/Program.cs), a request to `https://localhost:<port>/def/` serves `default.html` from `wwwroot/def`.
-
-The following code changes the default file name to `mydefault.html`:
-
-[!code-csharp[](~/fundamentals/static-files/samples/9.x/StaticFilesSample/Program.cs?name=snippet_df2&highlight=16-19)]
-
-### UseFileServer for default documents
-
-<xref:Microsoft.AspNetCore.Builder.FileServerExtensions.UseFileServer*> combines the functionality of `UseStaticFiles`, `UseDefaultFiles`, and optionally `UseDirectoryBrowser`.
-
-Call `app.UseFileServer` to enable the serving of static files and the default file. Directory browsing isn't enabled:
-
-[!code-csharp[](~/fundamentals/static-files/samples/9.x/StaticFilesSample/Program.cs?name=snippet_ufs&highlight=16)] 
-
-The following code enables the serving of static files, the default file, and directory browsing:
-
-<!--  app.UseFileServer(enableDirectoryBrowsing: true); returns the default HTML doc before the default Razor Page - ie, / returns the default HTML file, not Pages/Index.cshtml --
-But when using app.UseDefaultFiles();, I need to comment out Pages/Index.cshtml or / returns  Pages/Index.cshtml, not the default HTML file.
--->
-[!code-csharp[](~/fundamentals/static-files/samples/9.x/StaticFilesSample/Program.cs?name=snippet_ufs2&highlight=6,18)] 
-
-Consider the following directory hierarchy:
-
-* `wwwroot`
-  * `css`
-  * `images`
-  * `js`
-* `MyStaticFiles`
-  * `defaultFiles`
-    * `default.html`
-    * `image3.png`
-  * `images`
-    * `MyImage.jpg`
-
-The following code enables the serving of static files, the default file, and directory browsing of `MyStaticFiles`:
-
-<!-- https://localhost:44391/StaticFiles/ or the link on https://localhost:44391/Home2/MyStaticFilesRR -->
-
-[!code-csharp[](~/fundamentals/static-files/samples/9.x/StaticFilesSample/Program.cs?name=snippet_tree&highlight=1,8,22-28)]
-
-<xref:Microsoft.Extensions.DependencyInjection.DirectoryBrowserServiceExtensions.AddDirectoryBrowser%2A> must be called when the `EnableDirectoryBrowsing` property value is `true`.
-
-Using the preceding file hierarchy and code, URLs resolve as follows:
-
-| URI            |      Response  |
-| ------- | ------|
-| `https://<hostname>/StaticFiles/images/MyImage.jpg` | `MyStaticFiles/images/MyImage.jpg` |
-| `https://<hostname>/StaticFiles` | directory listing |
-| `https://<hostname>/StaticFiles/defaultFiles` | `MyStaticFiles/defaultFiles/default.html` |
-| `https://<hostname>/StaticFiles/defaultFiles/image3.png` | `MyStaticFiles/defaultFiles//image3.png` |
-
-If no default-named file exists in the *MyStaticFiles* directory, `https://<hostname>/StaticFiles` returns the directory listing with clickable links:
-
-![Static files list](~/fundamentals/static-files/_static/db2.png)
-
-<xref:Microsoft.AspNetCore.Builder.DefaultFilesExtensions.UseDefaultFiles*> and <xref:Microsoft.AspNetCore.Builder.DirectoryBrowserExtensions.UseDirectoryBrowser*> perform a client-side redirect from the target URI without a trailing `/`  to the target URI with a trailing `/`. For example, from `https://<hostname>/StaticFiles` to `https://<hostname>/StaticFiles/`. Relative URLs within the *StaticFiles* directory are invalid without a trailing slash (`/`) unless the <xref:Microsoft.AspNetCore.StaticFiles.Infrastructure.SharedOptions.RedirectToAppendTrailingSlash> option of <xref:Microsoft.AspNetCore.Builder.DefaultFilesOptions> is used.
-
-## FileExtensionContentTypeProvider
-
-The <xref:Microsoft.AspNetCore.StaticFiles.FileExtensionContentTypeProvider> class contains a [Mappings](/dotnet/api/microsoft.aspnetcore.staticfiles.fileextensioncontenttypeprovider.mappings) property that serves as a mapping of file extensions to MIME content types. In the following sample, several file extensions are mapped to known MIME types. The *.rtf* extension is replaced, and *.mp4* is removed:
-
-<!-- test via /mapTest/image1.image and mapTest/test.htm3 /mapTest/TextFile.rtf -->
-[!code-csharp[](~/fundamentals/static-files/samples/9.x/StaticFilesSample/Program.cs?name=snippet_fec&highlight=19-33)] 
-
-See [MIME content types](https://www.iana.org/assignments/media-types/media-types.xhtml).
-
-## Non-standard content types
-
-The Static File Middleware understands almost 400 known file content types. If the user requests a file with an unknown file type, the Static File Middleware passes the request to the next middleware in the pipeline. If no middleware handles the request, a *404 Not Found* response is returned. If directory browsing is enabled, a link to the file is displayed in a directory listing.
-
-The following code enables serving unknown types and renders the unknown file as an image:
-
-[!code-csharp[](~/fundamentals/static-files/samples/9.x/StaticFilesSample/Program.cs?name=snippet_ns&highlight=16-20)]
-
-With the preceding code, a request for a file with an unknown content type is returned as an image.
-
-> [!WARNING]
-> Enabling <xref:Microsoft.AspNetCore.Builder.StaticFileOptions.ServeUnknownFileTypes> is a security risk. It's disabled by default, and its use is discouraged. [FileExtensionContentTypeProvider](#fileextensioncontenttypeprovider) provides a safer alternative to serving files with non-standard extensions.
+To serve static files based on authorization, see [Static file authorization](xref:fundamentals/static-files#static-file-authorization).
 
 ## Serve files from multiple locations
 
@@ -275,27 +152,6 @@ The following code updates the `WebRootFileProvider`, which enables the Image Ta
 > [!NOTE]
 > The preceding approach applies to Razor Pages and MVC apps. For guidance that applies to Blazor Web Apps, see <xref:blazor/fundamentals/static-files#serve-files-from-multiple-locations>.
 
-<a name="sc"></a>
-
-### Security considerations for static files
-
-> [!WARNING]
-> `UseDirectoryBrowser` and `UseStaticFiles` <!-- but not MapStaticAssets --> can leak secrets. Disabling directory browsing in production is highly recommended. Carefully review which directories are enabled via `UseStaticFiles` or `UseDirectoryBrowser`. The entire directory and its sub-directories become publicly accessible. Store files suitable for serving to the public in a dedicated directory, such as `<content_root>/wwwroot`. Separate these files from MVC views, Razor Pages, configuration files, etc.
-
-* The URLs for content exposed with `UseDirectoryBrowser`, `UseStaticFiles`, and `MapStaticAssets` are subject to the case sensitivity and character restrictions of the underlying file system. For example, Windows is case insensitive, but macOS and Linux aren't.
-
-* ASP.NET Core apps hosted in IIS use the [ASP.NET Core Module](xref:host-and-deploy/aspnet-core-module) to forward all requests to the app, including static file requests. The IIS static file handler isn't used and has no chance to handle requests.
-
-* Complete the following steps in IIS Manager to remove the IIS static file handler at the server or website level:
-    1. Navigate to the **Modules** feature.
-    1. Select **StaticFileModule** in the list.
-    1. Click **Remove** in the **Actions** sidebar.
-
-> [!WARNING]
-> If the IIS static file handler is enabled **and** the ASP.NET Core Module is configured incorrectly, static files are served. This happens, for example, if the *web.config* file isn't deployed.
-
-* Place code files, including `.cs` and `.cshtml`, outside of the app project's [web root](xref:fundamentals/index#web-root). A logical separation is therefore created between the app's client-side content and server-based code. This prevents server-side code from being leaked.
-
 ## Serve files outside wwwroot by updating IWebHostEnvironment.WebRootPath
 
 When <xref:Microsoft.AspNetCore.Hosting.IWebHostEnvironment.WebRootPath%2A?displayProperty=nameWithType> is set to a folder other than `wwwroot`:
@@ -341,7 +197,3 @@ The following code updates `IWebHostEnvironment.WebRootPath` to a non developmen
 * <xref:blazor/file-downloads>
 
 :::moniker-end
-
-[!INCLUDE[](~/fundamentals/static-files/includes/static-files8.md)]
-
-[!INCLUDE[](~/fundamentals/static-files/includes/static-files6.md)]
diff --git a/aspnetcore/fundamentals/static-files/includes/static-files8.md b/aspnetcore/fundamentals/static-files/includes/static-files8.md
@@ -1,4 +1,4 @@
-:::moniker range="= aspnetcore-8.0"
+:::moniker range=">= aspnetcore-8.0"
 
 By [Rick Anderson](https://twitter.com/RickAndMSFT)
 
diff --git a/aspnetcore/fundamentals/static-files2.md b/aspnetcore/fundamentals/static-files2.md
@@ -0,0 +1,17 @@
+---
+title: Static files in ASP.NET Core
+author: rick-anderson
+description: Learn how to serve and secure static files and configure static file hosting middleware behaviors in an ASP.NET Core web app.
+monikerRange: '>= aspnetcore-3.1'
+ms.author: riande
+ms.custom: mvc
+ms.date: 7/25/2024
+uid: fundamentals/static-files
+---
+# Static files in ASP.NET Core
+
+[!INCLUDE[](~/includes/not-latest-version.md)]
+
+[!INCLUDE[](~/fundamentals/static-files/includes/static-files8.md)]
+
+[!INCLUDE[](~/fundamentals/static-files/includes/static-files6.md)]

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-:::moniker range="= aspnetcore-8.0"`
	`1`	`+:::moniker range=">= aspnetcore-8.0"`
`2`	`2`
`3`	`3`	`By [Rick Anderson](https://twitter.com/RickAndMSFT)`
`4`	`4`