The ASP.NET Core templates call UseStaticFiles before calling UseAuthorization. Most apps follow this pattern. When the Static File Middleware is called before the authorization middleware: -No authorization checks are performed on the static files. -Static files served by the Static File Middleware, such as those under wwwroot, are publicly accessible.
But in nopCommerce, there is customization for static files. dp_backups folder needs maintenance permission to get access Please see the code from the image.
The default directory is {content root}/wwwroot, but it can be changed with the UseWebRoot method. Any of the project directories can be accessible if you configure them. We can say it another way, No directory can be accessible if you don't give access.
I mean the backup should not be in the folder open on the internet... How logical is it to put a backup folder in a folder that everyone can access from the web. it must be in App_Data public static string DbBackupsPath => "..\\App_Data\\";
That's not true. Everyone doesn't have access to it. Please see the reply from tanzimsiddiqee above. You need the maintenance permission to get access to this folder (so administrators can download a backup)