Secure Your ASP.NET Core Application From Image Hotlinking

Aug 21, 2016     Viewed 7622 times    2 Comments
Posted in #Security  #Hotlinking 

What is a Hotlinking?

Hotlinking is using images links directly from one site to another without permission from the owner of the website. Hotlinking images have a side effect on your site, because it increases the server load and using your server bandwidth.

Prevent Hotlinking

Now let us use the power of ASP.NET Core 1.0 to protect our applications from hotlinking. We need sort of handler that listen to all incoming requests and checks whether the files are requested from our application or not, this may done easily with the middlewares, so we can plug a new middleware to perform those checks and integrate it with the other middlewares that our application may need in the same pipeline.

Let us build our middleware that named HotlinkingPreventionMiddleware as the following:

public class HotlinkingPreventionMiddleware
    private readonly string _wwwrootFolder;
    private readonly RequestDelegate _next;

    public HotlinkingPreventionMiddleware(RequestDelegate next, IHostingEnvironment env)
        _wwwrootFolder = env.WebRootPath;
        _next = next;

    public async Task Invoke(HttpContext context)
        var applicationUrl = $"{context.Request.Scheme}://{context.Request.Host.Value}";
        var headersDictionary = context.Request.Headers;
        var urlReferrer = headersDictionary[HeaderNames.Referer].ToString();

        if(!string.IsNullOrEmpty(urlReferrer) && !urlReferrer.StartsWith(applicationUrl))
            var unauthorizedImagePath = Path.Combine(_wwwrootFolder,"Images/Unauthorized.png");
            await context.Response.SendFileAsync(unauthorizedImagePath);
        await _next(context);

The above middleware simply looking for the UrlReferrer to identify the origin of the request, while ASP.NET Core 1.0 doesn't have it directly in the Request object like what we have seen in the previous versions of ASP.NET, so we can get its value from the Headers object. So if the request is not belong to application host we can simply redirect the user to unauthorized page, but it our implementation above I sent unauthorized image, so the visitors of his/her page will notice that he/she steal or use use an image from other website without the owner permission.

Last but not least I wrote a very straightforward extension like what we have seen in almost ASP.NET repositories to allow us to use our middleware via IApplicationBuilder.

public static class BuilderExtensions
    public static IApplicationBuilder UseHotlinkingPreventionMiddleware(this IApplicationBuilder app)
        return app.UseMiddleware();

Finally we can use it in the Configure method as the following:


You can download the source code for this post from my HotlinkingPrevention repository on GitHub.

Twitter Facebook Google + LinkedIn


Nick (8/31/2016 7:25:30 AM)

This code is wrong!
There is no check if we request image or not.
If we request home page, middlewear will return "Images/Unauthorized.png"

Hisham Bin Ateya (8/31/2016 10:40:18 PM)

@Nike I missed the image check, while I test the hotlinking for images, style .. etc, now it&#39;s fixed. Regarding the home page is working as expected, please check it again<br />Thanks

Leave a Comment