HttpModule to block external referrers in ASP.NET

by Mads Kristensen 14. February 2007 19:54

I was ones faced with the issue of enforcing copyright on different files on a website. That meant that images and dynamically created XML files had to be blocked if accessed from outside the website. So, I had to find a way to prevent other websites from linking to or referencing these files. Copyright or not, it is a good idea to do it on dynamically created files such as charts, because they take a lot of computer power to generate.

That resulted in an HttpModule that stops all requests coming from outside the website to a custom list of files. If your images are inserted into a <img> tag on another domain, they will be blocked. The list can use wildcards so you can stop all files of a certain type as well. It could look like this *.gif|*.jpg|image.ashx.

Below are the two methods of the module that stops the illegal requests.

private void context_BeginRequest(object sender, EventArgs e)
{
 HttpContext context = ((HttpApplication)sender).Context;
 // Do nothing if the request is legal
 if (ReguestIsLegal(context))
  return;

 // Accessed directly
 if (context.Request.UrlReferrer == null)
 {
  context.Response.Write("Access denied");
  context.Response.End();
 }

 // Linked to or embedded into another domain
 if (context.Request.UrlReferrer.Host != context.Request.Url.Host)
 {
  context.Response.Write("Access denied");
  context.Response.End();
 }
}

privatebool ReguestIsLegal(HttpContext context)
{
 string mappings = ConfigurationManager.AppSettings["BlockMapping"];
 string fileName = context.Request.PhysicalPath;

 foreach (string map in mappings.Split('|'))
 {
  string cleaned = map.Replace("*", ".*").Replace(".", "\\.");
  if (Regex.IsMatch(fileName, cleaned, RegexOptions.IgnoreCase))
   returnfalse;
 }

returntrue;
}

The method RequestIsLegal uses regular expressions to determine if the requested file matches the mappings in the web.config.

Implementation

Download the ExternalAccessModule.cs below and add put it in the App_Code folder. Then add the following lines to the web.config’s <system.web> section.

<httpModules>
 <add type="ExternalAccessModule" name="ExternalAccessModule"/>
</httpModules>

And last, add the mappings to the AppSettings of the web.config. Modify it to match your own files.

<add key="BlockMapping" value="*.gif|*.jpg|image.ashx"/>

Download

ExternalAccessModule.zip (,85 KB)

Tags:

ASP.NET

Submit to DotNetKicks...
Permalink | Comments (4)

Comments

2/15/2007 11:43:43 AM #

Bruno 'Shine' Figueiredo

Hi Mads.
I have one question: For this to work properly with the images, the IIS must be configured to map the *.gif or the *.jpg to the aspnet_isapi.dll for the BeginRequest to kick, right?

Another thing: You could change the "Access denied" response to a Response.StatusCode = 401 (401 Unauthorized).

Bruno 'Shine' Figueiredo |

2/15/2007 11:47:00 AM #

Mads Kristensen

Yes, the IIS have to map .gif and .jpg to the asp.net engine for it to work. That's why I showed how to block an .ashx instead.

Good idea about the status code.

Mads Kristensen |

10/26/2007 1:28:16 PM #

Bob

Hay Mads,

love the blog.
Remember that a number of internet security products (like Norton Internet Security) have options to prevent sending "sensitive" data. Apparantly the URLReferrer is one of them. Someone browsing your site and trying to access the ashx will be denied.
Just a thought.

Bob Netherlands |

4/15/2008 2:44:02 PM #

trackback

Trackback from Huerreson's Web On Internet

ASP.NET HttpModules and HttpHandlers

Huerreson's Web On Internet |

Comments are closed

About the slave

Mads Kristensen Mads Kristensen
Web developer at ZYB and founder of BlogEngine.NET. More...

LinkedIn ZYB Facebook Last.fm Twitter View Mads Kristensen's profile on Technorati

The Lounge

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

© Copyright 2008