I am going to frame this question using ASP.NET Core in mind since that is what I'm using, though my question is applicable to any scenario in which you have a client that makes requests to a server storing static files.
In the Microsoft docs on how to order middleware in an ASP.NET Core application, it specifies:
The static file middleware is called early in the pipeline so it can handle requests and short-circuit without going through the remaining components. The static file middleware provides no authorization checks. Any files served by it, including those under wwwroot, are publicly available. See Work with static files for an approach to secure static files.
I can see that it would be useful to bypass authentication
in order to serve these files faster.
because these static files (consisting mainly of HTML, CSS, JavaScript, and various types of image files) are in no way obfuscated on the client (for authenticated users, mind you).
However, there's a part of me that feels iffy about allowing all these files to be publicly available considering you have to be authenticated to be able to access the site. Since these static files contain a lot of the site's scripts and other resources, an unauthenticated user who would normally be able to not interact at all with the application can suddenly see a lot of how the front end works.
Is there any information contained in static files that would be useful for an attacker, such as a partially-complete picture of the front end codebase? My guess is no, because if that were the case then that implies that we trust all authenticated users to not use that information maliciously. Nevertheless, I wanted to make sure by asking here.