My application is an ASP.net 4.5 VB Razor Web Forms application.
My .vbhtml files are secured by WebSecurity in my application; however, .pdf files can be viewed by anyone that has the URL even though they are in a folder protected by _PageStart.vbhtml.
How do I use the existing roles and protect other folder contents, including .docx files, .pdf files, etc.? Do I use a web.config file or is there a better way?