First, the principle
To implement the anti-theft chain, we must first understand the implementation principle of hotlinking, mentioned the implementation principle of the anti-theft chain has to start from the HTTP protocol, in the HTTP protocol, there is a header field called Referer, in the format of the URL to indicate from where to link to the current page or file. In other words, through Referer, the Web site can detect the source page of the target page access, and if it is a resource file, it can be traced to the page address where it is displayed. With the Referer tracking source is good to do, at this time can be handled by technical means, once detected source is not the site to block or return to the specified page. If you want to protect your site against theft, you need to treat different situations differently.
If the site server is using Apache, then using the Apache URL rewrite feature can easily prevent a variety of hotlinking, and its principle is to check the refer, if the refer information from other sites are redirected to the specified image or Web page.
If the server is using IIS, you need to use a third-party plug-in to implement the anti-theft chain function, now more commonly used a product called isapi_rewrite, can achieve similar to the Apache anti-theft chain function. In addition, for the Forum can also use "Login verification" method for anti-theft chain.
Second, the realization of anti-theft chain
Now let's implement anti-theft chain technology in ASP. NET core to protect our applications and site files. This is done through the middleware technology in ASP. All incoming requests are monitored and processed to check that the requests are from our application.
Let's create this anti-theft chain middleware program:
public class hotlinkingpreventionmiddleware{ private readonly string _wwwrootfolder; Private ReadOnly requestdelegate _next; Public Hotlinkingpreventionmiddleware (Requestdelegate Next, ihostingenvironment env) { _wwwrootfolder = Envwebrootpath; _next = next; } Public Async Task Invoke (HttpContext context) { var ApplicationUrl = $ "{contextrequestscheme}://{ Contextrequesthostvalue} "; var headersdictionary = contextrequestheaders; var urlreferrer = headersdictionary[headernamesreferer]tostring (); if (!stringisnullorempty (urlreferrer) &&!urlreferrerstartswith (applicationurl)) { var Unauthorizedimagepath = Pathcombine (_wwwrootfolder, "images/unauthorizedpng"); Await Contextresponsesendfileasync (Unauthorizedimagepath); } Await _next (context); }}
In this middleware we can see that the request object in ASP. Referrer is not encapsulated, and to obtain referrer, it is accessed via HTTP header information (Headers).
A iapplicationbuilder extension is generally needed:
public static class builderextensions{public static Iapplicationbuilder Usehotlinkingpreventionmiddleware (this Iapplicationbuilder app) { return appusemiddleware ();} }
Finally, using it only needs to be called in the Configure function, above the extension function.
App. Usehotlinkingpreventionmiddleware ();
Third, really can prevent?
How to break the anti-theft chain? For checking the way of refer, in the page middleware can be advanced into the destination address of another page in the go to the destination page, so that the page refer is the purpose of the site itself, so, that is to achieve breakthroughs. There are many tools that can be used in this area, especially for mature Web project test packages, such as Htmlunit, which can be set directly in the request refer.
If the misappropriation of the site is HTTPS protocol, and the picture link is HTTP, then the request from HTTPS to HTTP because of security provisions, without referer, so as to achieve the anti-theft chain bypass.
Finally, I can only say this way, only to a certain extent, can not eliminate all attacks, or recommend the use of mature server applications, such as Nginx.
The above is the whole content of this article, I hope that everyone's learning has helped, but also hope that we support topic.alibabacloud.com.