Protect media requests

Abstract

How to make sure that your Sitecore server only responds to valid image-scaling requests.

Applies to

All core roles

Sitecore Installation Framework

Media requests are not protected by default.

Azure Toolkit

Media requests are not protected by default.

The media request protection feature restricts media URLs that contain dynamic image-scaling parameters so that only server-generated requests are processed. This ensures that the server only spends resources and disk space on valid image-scaling requests.

You can make your solution even more secure and use the Sitecore media request protection feature optimally if you patch the Sitecore.Media.RequestProtection.config file.

To optimize the media request protection feature:

  1. In the App_Config\Include\ folder, create a patch file named, for example, MediaRequestProtectionSecret.config.

  2. Insert the following code:

    <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
      <sitecore>
        <settings>
          <!--  MEDIA - REQUEST PROTECTION - SHARED SECRET
    
                Specifies the shared secret to use as a salt when generating hash values.
                You should change the shared secret to a random string and not use the
                default value.
    
                In a multi-instance setup, use the same value for 
                Media.RequestProtection.SharedSecret on every instance. Otherwise, dynamic 
                image signing will not work correctly if the image URL is generated by one 
                instance and the request is handled by a different instance.
                Allowed characters include:
    
                abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_+-|\.,#^)(;
    
                Please create a lengthy string of at least 64 characters or more.
          -->        
          <setting
            name="Media.RequestProtection.SharedSecret"
            value="YourRandomGeneratedString"/>
        </settings>
      </sitecore>
    </configuration>
  3. Save the patch file.

Note

In a multi-server setup, you must use the same value for the Media.RequestProtection.SharedSecret setting on every server. This ensures that dynamic image scaling works correctly in situations where one server generates the image URL and another handles the request.