ASP. NET Core prevents instances of picture hotlinking with custom middleware

Tag: Represents the Send HTTP protocol amp Information ONS resource task Sharp

First, the principle

To implement the anti-theft chain, we must first understand the implementation principle of hotlinking, mentioned the implementation principle of the anti-theft chain has to start from the HTTP protocol, in the HTTP protocol, there is a header field called Referer, in the format of the URL to indicate from where to link to the current page or file. In other words, through Referer, the Web site can detect the source page of the target page access, and if it is a resource file, it can be traced to the page address where it is displayed. With the Referer tracking source is good to do, at this time can be handled by technical means, once detected source is not the site to block or return to the specified page. If you want to protect your site against theft, you need to treat different situations differently.

If the site server is using Apache, then using the Apache URL rewrite feature can easily prevent a variety of hotlinking, and its principle is to check the refer, if the refer information from other sites are redirected to the specified image or Web page.

If the server is using IIS, you need to use a third-party plug-in to implement the anti-theft chain function, now more commonly used a product called isapi_rewrite, can achieve similar to the Apache anti-theft chain function. In addition, for the Forum can also use "Login verification" method for anti-theft chain.

Second, the realization of anti-theft chain

Now let's implement anti-theft chain technology in ASP. NET core to protect our applications and site files. This is done through the middleware technology in ASP. All incoming requests are monitored and processed to check that the requests are from our application.

Let's create this anti-theft chain middleware program:

     Public classOuterimgmiddleware {Private ReadOnly string_wwwrootfolder; Private ReadOnlyrequestdelegate _next;  PublicOuterimgmiddleware (requestdelegate Next, ihostingenvironment env) {_wwwrootfolder=Env.            Webrootpath; _next=Next; }         Public AsyncTask Invoke (HttpContext context) {varApplicationUrl = $"{context. Request.scheme}://{context. Request.Host.Value}"; varHeadersdictionary =context.            Request.headers; varUrlreferrer = headersdictionary["Headernamesreferer"].            ToString (); if(!string. IsNullOrEmpty (urlreferrer) &&!Urlreferrerstartswith (ApplicationUrl)) {                varUnauthorizedimagepath = Path.Combine (_wwwrootfolder,"Images/unauthorizedpng"); awaitcontext.            Response.sendfileasync (Unauthorizedimagepath); }            await_next (context); }    }

In this middleware we can see that the request object in ASP. Referrer is not encapsulated, and to obtain referrer, it is accessed via HTTP header information (Headers).

A iapplicationbuilder extension is generally needed:

1234567

public static class Builderextensions {    Code class= "CSharp keyword" >public static Iapplicationbuilder usehotlinkingpreventionmiddleware ( this iapplicationbuilder app)    {      return appusemiddleware ();    } }

Finally, using it only needs to be called in the Configure function, above the extension function.

1	app.UseHotlinkingPreventionMiddleware();

More:

ASP. NET Core prevents instances of picture hotlinking with custom middleware (GO)