Problem: A xap package is basically a package of Silverlight (.NET) DLLs. These can easily be disassembled and reassembled with something like ILSpy to view the code. Generally speaking, anyone can directly hit the Xap package Url and directly download the xap package to view the contents. All they need is the Xap package. So, basically speaking, if you leave a Xap package exposed in IIS, anyone can download the Xap package, and view the system's code.
This really isn't a problem if your project is open source and the source code is freely available. However, as a general principle, it is never a good idea to hand out your source code over the web because it's essentially a road map for hackers to find exploits in your system.
So, I'm looking for the best practice way of stopping non-authenticated users from downloading the Xap package. Can anyone point me to best practice on this?
Here are a few potential ways of achieving it:
- Hide the Xap package in a folder where non-ASP authenticated users can not get access to it, and use ASP authentication
- Have two Silverlight apps. 1 for login, that passes you to another 1 that is the actual app. But, this doesn't add much more than the above
- Any other suggestions.... What have other people done?
PS: Before anyone states the obvious and suggests that the project should be open sourced - it's not an option. I'd like to do that, but our industry does not understand the benefits of open source and it would be very much frowned upon.
