I'm running a WCF web app via IIS7.
Inside my application I have a public folder and inside that folder I have files containing rather sensitive information.
Currently, I have Directory Browsing disabled in IIS.
The files names are randomly generated strings of gibberish.
My initial thought was, that since Directory Browsing is disabled, and no-one knows the files' names that no-one should be able to access them.
How safe are my assumptions?
If unsafe, I'll rewrite some code to stream the files to my client instead of referencing directly with a URL like I'm currently doing.