Asp.Net Core uses middleware to prevent image hotlinking

1. Principle

To achieve anti-hotlinking, we must first understand the implementation principle of hotlinking. When it comes to the implementation principle of anti-hotlinking, we have to start with the HTTP protocol. In the HTTP protocol, there are A header field is called referer, which uses URL format to indicate where to link to the current web page or file. In other words, through the referer, the website can detect the source webpage visited by the target webpage, and if it is a resource file, it can track the webpage address that displays it. With the referer tracking the source, it is easier to handle. At this time, it can be processed through technical means. Once it is detected that the source is not this site, it will be blocked or returned to the specified page. If you want to protect your website from hotlinking, you need to treat different situations differently.

If the website server uses apache, then using the Url Rewrite function that comes with apache can easily prevent various hot links. The principle is to check the refer. If the refer information comes from other websites, Redirect to a specified image or web page.

If the server uses IIS, you need to use a third-party plug-in to implement the anti-hotlink function. A commonly used product now is called ISAPI_Rewrite, which can implement the anti-hotlink function similar to apache. In addition, forums can also use the "login verification" method to prevent hot links.

2. Implement anti-hotlinking

Now let us implement anti-hotlinking technology in ASP.NET Core to protect our applications and site files. This requires using the middleware technology in ASP.NET Core to monitor and process all incoming requests and check whether these requests come from our application.

Let us create this anti-hotlink middleware program:

public class HotlinkingPreventionMiddleware
{
  private readonly string _wwwrootFolder;
  private readonly RequestDelegate _next;
 
  public HotlinkingPreventionMiddleware(RequestDelegate next, IHostingEnvironment env)
  {
    _wwwrootFolder = envWebRootPath;
    _next = next;
  }
 
  public async Task Invoke(HttpContext context)
  {
    var applicationUrl = $"{contextRequestScheme}://{contextRequestHostValue}";
    var headersDictionary = contextRequestHeaders;
    var urlReferrer = headersDictionary[HeaderNamesReferer]ToString();
 
    if(!stringIsNullOrEmpty(urlReferrer) && !urlReferrerStartsWith(applicationUrl))
    {
      var unauthorizedImagePath = PathCombine(_wwwrootFolder,"Images/Unauthorizedpng");
         
      await contextResponseSendFileAsync(unauthorizedImagePath);
    }
       
    await _next(context);
  }
}

In this middleware we can see ASP.NET Core The Request object in does not encapsulate the Referrer. If you want to obtain the Referrer, you must access it through HTTP headers.

Generally, there is an IApplicationBuilder extension:

public static class BuilderExtensions
{
  public static IApplicationBuilder UseHotlinkingPreventionMiddleware(this IApplicationBuilder app)
  {
    return appUseMiddleware();
  }
}

Finally, to use it, you only need to call the above extension function in the Configure function.

app.UseHotlinkingPreventionMiddleware();

3. Can it really be defended?

How to break through anti-leeching? As for the way to check the refer, you can first enter another page of the destination address in the page middleware and then go to the destination page. In this way, the refer of the page is the destination site's own. In this way, a breakthrough is achieved. There are many tools that can be used in this regard, especially mature web project test packages, such as HtmlUnit. It is possible to set refer directly in the request.

If the stolen website uses the https protocol and the image link is http, the request initiated from https to http will not include a referer due to security regulations, thereby bypassing anti-hotlinking.

Finally, I can only say that this method can only defend to a certain extent, and it is impossible to eliminate all attacks. It is still recommended to use mature server application solutions, such as Nginx.

The above is the entire content of this article. I hope it will be helpful to everyone's learning. I also hope that everyone will support the PHP Chinese website.

For more related articles on Asp.Net Core’s use of middleware to prevent image hotlinking, please pay attention to the PHP Chinese website!