With IIS 7 it is now easier than ever to customize the inner workings of ASP.NET applications using only the web.config. It is possible to remove all the features but the ones the specific application uses. In other words, we are able to lock down our applications and only turn on the features we need. The reason to do this is to reduce the attack surface of the application as well as stay in total control all the way from the IIS and into the ASP.NET application.

The attack surface will be reduced when we turn off unneeded features, since there are less ways to access your application. From a security perspective this is desirable. Since we turn off features, we also know exactly what our application can and cannot do. This gives us control and also reduces the overhead of those unneeded features.

The features we can control in the web.config come in the form of modules and handlers. In the <system.webServer> config section below, you’ll see a totally locked down application. All default managed modules have been removed and only two handlers remain. The two handlers let’s you serve .aspx pages and static files such as images and stylesheets.

If you want to register your own handlers, remember to add them above the StaticFile handler. To allow some modules such as the Session module, just delete the line <remove name="Session" /> and it will automatically be added. Use the IIS Manager to see all the handlers and modules that are available.

A couple of weeks ago I released an online TV guide for Danish viewers called ifjernsyn.dk. The goal was to make a very simple overview that could easily be accessed from a mobile phone and customized by any visitor without any login. The purpose was to always know what’s on the air right now and what programs will shortly follow – and of course to keep it simple.

Since the release, some people have asked me about how I did some of the things and one of the most frequently asked questions was how to find movie posters for all the movies. Apparently, people are interested in finding movie posters for their own pet projects involving their own media collection or even a media center plug-in.

The code

With only the name of a movie, the code will search the Yahoo image search API and return a thumbnail of the poster. The API returns an XML document with both the thumbnail and the full image, so to get the full image you should just change the XPath navigation.

private const string LINK = "http://search.yahooapis.com/ImageSearchService/V1/imageSearch?appid=YahooDemo&query={0} movie&results=1";

 

public static string FindMoviePoster(string title)

{

  string url = string.Format(LINK, HttpUtility.UrlEncode(title));

 

  XPathDocument xd = new XPathDocument(url);

  XPathNavigator navigator = xd.CreateNavigator();

  navigator.MoveToFollowing(XPathNodeType.Element);

  navigator.MoveToFirstChild();

  navigator.MoveToFirstChild();

 

  do

  {

    if (navigator.LocalName == "Thumbnail")

    {

      navigator.MoveToFirstChild();

      return navigator.Value;

    }

  } while (navigator.MoveToNext());

 

  return null;

}

The implementation

To use the method above in your own web page, simply pass a movie title to the method and the image URL is returned. It could look like this:

The reason to use the Yahoo API is because it provides the thumbnails as well as the full image.