Is there a security risk with internal HTTP call

Is there a security开发者_开发知识库 risk if an application called page.ashx called internal only page.ashx, can a hacker conclude that another page is called.

I don't want anyone to access this page. it looks stupid I know, but it is a part of more complex problem.

thanks

"I don't want anyone to access this page."
To archive that you need to check if your user is authenticated one inside this page, or this page is in the directory that this roles of authenticated users can see.

The redirects can been read - so if you have some other page that redirect to the one you say, this is visible.

The server transfer however can not bee read and its internal, but I do not know if this can help your case.

By default, an ashx handler can be accessed just the same as an aspx page.
It is unclear what you mean by "internal". If the call is made at server side you can hide the file by removing permissions on the IIS. However, that may indicate you don't need a handler at all, and can probably call the function directly. If the client need to access it (if it's returning a script or an image, for example), you cannot prevent direct access to it.

If you're looking for security light, you can obfuscate the URL with a hard to guess file or folder name and then use server transfer as Aristos suggested.

If you're looking for fancier security, then implement a web service instead of an ashx that requires authentications from the calling code with application credentials (something the application has that the user doesn't have so that the user can't call the service directly).