I noticed you are able to browse the angular app appconfig.json file. If you browse the file like this /assets/appconfig.json you are able to browse it. For example to test this theory on one of your test sites I create a demo <a class="postlink" href="http://test-41234.demo.aspnetzero.com/assets/appconfig.json">http://test-41234.demo.aspnetzero.com/a ... onfig.json</a> and was able to browse it.
Any way on IIS to block this? I tried adding it as a hidden segment but that actually kept the site from working all together.
Any help would be a great help.