I was ones faced with the issue of enforcing copyright on different files on a website. That meant that images and dynamically created XML files had to be blocked if accessed from outside the website. So, I had to find a way to prevent other websites from linking to or referencing these files. Copyright or not, it is a good idea to do it on dynamically created files such as charts, because they take a lot of computer power to generate.

That resulted in an HttpModule that stops all requests coming from outside the website to a custom list of files. If your images are inserted into a <img> tag on another domain, they will be blocked. The list can use wildcards so you can stop all files of a certain type as well. It could look like this *.gif|*.jpg|image.ashx.

Below are the two methods of the module that stops the illegal requests.

private void context_BeginRequest(object sender, EventArgs e)
{
 HttpContext context = ((HttpApplication)sender).Context;
 // Do nothing if the request is legal
 if (ReguestIsLegal(context))
  return;

 // Accessed directly
 if (context.Request.UrlReferrer == null)
 {
  context.Response.Write("Access denied");
  context.Response.End();
 }

 // Linked to or embedded into another domain
 if (context.Request.UrlReferrer.Host != context.Request.Url.Host)
 {
  context.Response.Write("Access denied");
  context.Response.End();
 }
}

privatebool ReguestIsLegal(HttpContext context)
{
 string mappings = ConfigurationManager.AppSettings["BlockMapping"];
 string fileName = context.Request.PhysicalPath;

 foreach (string map in mappings.Split('|'))
 {
  string cleaned = map.Replace("*", ".*").Replace(".", "\\.");
  if (Regex.IsMatch(fileName, cleaned, RegexOptions.IgnoreCase))
   returnfalse;
 }

returntrue;
}

The method RequestIsLegal uses regular expressions to determine if the requested file matches the mappings in the web.config.

Implementation

Download the ExternalAccessModule.cs below and add put it in the App_Code folder. Then add the following lines to the web.config’s <system.web> section.

<httpModules>
 <add type="ExternalAccessModule" name="ExternalAccessModule"/>
</httpModules>

And last, add the mappings to the AppSettings of the web.config. Modify it to match your own files.

<add key="BlockMapping" value="*.gif|*.jpg|image.ashx"/>

Download

ExternalAccessModule.zip (,85 KB)

In many cases we write our ASP.NET logic around query strings in order to show the right product page or what not. The first thing we do is to check if the query string exists in the first place before we start using it. It could look like this:

if (Request.QueryString["id"] != null)

{

  // Do something with the querystring

}

The only problem with the above check to see if the query string is null, is that we don’t take into consideration if the query string is filled or not. That could lead to unhandled exceptions in the code. Instead we should check for query strings like this:

if (!String.IsNullOrEmpty(Request.QueryString["id"]))

{

  // Do something with the querystring

}

Then there is the data type of the query string. Our code might need an integer of 5 digits to get the right information from the database, so if we pass it a string we could end up with a data type mismatch exception. So we do the check again more thoroughly:

if (!String.IsNullOrEmpty(Request.QueryString["id"]) && Request.QueryString["id"].Length == 5)

{

  // Do something with the querystring

}

Now we know that we get a query string suitable for further processing. You can then do more precise data type checks using the TryParse method of most value types or by some other logic.