ASP. NET Core prevents picture hotlinking through middleware

first, the principle

To implement the anti-theft chain, we must first understand the implementation principle of hotlinking, mentioned the implementation principle of the anti-theft chain has to start from the HTTP protocol, in the HTTP protocol, there is a header field called Referer, in the format of the URL to indicate from where to link to the current page or file. In other words, through Referer, the Web site can detect the source page of the target page access, and if it is a resource file, it can be traced to the page address where it is displayed. With the Referer tracking source is good to do, at this time can be handled by technical means, once detected source is not the site to block or return to the specified page. If you want to protect your site against theft, you need to treat different situations differently.
If the site server is using Apache, then using the Apache URL rewrite feature can easily prevent a variety of hotlinking, and its principle is to check the refer, if the refer information from other sites are redirected to the specified image or Web page.
If the server is using IIS, you need to use a third-party plug-in to implement the anti-theft chain function, now more commonly used a product called isapi_rewrite, can achieve similar to the Apache anti-theft chain function. In addition, for the Forum can also use "Login verification" method for anti-theft chain.

Second, the realization of anti-theft chain

Now let's implement anti-theft chain technology in ASP. NET core to protect our applications and site files. This is done through the middleware technology in ASP. All incoming requests are monitored and processed to check that the requests are from our application.

Let's create this anti-theft chain middleware program:

 Public classhotlinkingpreventionmiddleware{Private ReadOnly string_wwwrootfolder; Private ReadOnlyrequestdelegate _next;  PublicHotlinkingpreventionmiddleware (requestdelegate Next, ihostingenvironment env) {_wwwrootfolder=Env.        Webrootpath; _next=Next; }     Public AsyncTask Invoke (HttpContext context) {varApplicationUrl = $"{context. Request.scheme}://{context. Request.Host.Value}"; varHeadersdictionary =context.        Request.headers; varUrlreferrer =Headersdictionary[headernames.referer].        ToString (); if(!string. IsNullOrEmpty (urlreferrer) &&!Urlreferrer.startswith (ApplicationUrl)) {            varUnauthorizedimagepath = Path.Combine (_wwwrootfolder,"Images/unauthorized.png"); awaitcontext.        Response.sendfileasync (Unauthorizedimagepath); }                    await_next (context); }}

In this middleware we can see that the request object in ASP. NET core is Referrer not encapsulated and wants to getReferrer，就要通过HTTP头信息（Headers）进行访问。

A iapplicationbuilder extension is generally needed:

 Public Static class builderextensions{    publicstatic Iapplicationbuilder Usehotlinkingpreventionmiddleware ( this iapplicationbuilder app)    {        return app. Usemiddleware ();    }}

Finally, using it only needs to be called in the Configure function, above the extension function.

App. Usehotlinkingpreventionmiddleware ();

third, really can prevent?

How to break the anti-theft chain? For checking the way of refer, in the page middleware can be advanced into the destination address of another page in the go to the destination page, so that the page refer is the purpose of the site itself, so, that is to achieve breakthroughs. There are many tools that can be used in this area, especially for mature Web project test packages, such as Htmlunit, which can be set directly in the request refer.

If the misappropriation of the site is HTTPS protocol, and the picture link is HTTP, then the request from HTTPS to HTTP because of security provisions, without referer, so as to achieve the anti-theft chain bypass.

Finally, I can only say this way, only to a certain extent, can not eliminate all attacks, or recommend the use of mature server applications, such as Nginx.

GITHUB:HTTPS://GITHUB.COM/MAXZHANG1985/YOYOFX If you feel you can also invite the Star , Welcome to communicate together.

. NET Core Open Source Learning Group: 214741894

ASP. NET Core prevents picture hotlinking through middleware