1. Security tasks

Protect media requests

Version:

Applies to

All core roles

Sitecore Installation Framework

Media requests are not protected by default.

Azure Toolkit

Media requests are not protected by default.

The media request protection feature restricts media URLs that contain dynamic image-scaling parameters so that only server-generated requests are processed. This ensures that the server only spends resources and disk space on valid image-scaling requests.

You can make your solution even more secure and use the Sitecore media request protection feature optimally if you patch the Sitecore.Media.RequestProtection.config file.

To optimize the media request protection feature:

  1. In the App_Config\Include\ folder, create a patch file named, for example, MediaRequestProtectionSecret.config.

  2. Insert the following code:

    <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <settings>
      <!--  MEDIA - REQUEST PROTECTION - SHARED SECRET

            Specifies the shared secret to use as a salt when generating hash values.
            You should change the shared secret to a random string and not use the
            default value.

            In a multi-instance setup, use the same value for 
            Media.RequestProtection.SharedSecret on every instance. Otherwise, dynamic 
            image signing will not work correctly if the image URL is generated by one 
            instance and the request is handled by a different instance.
            Allowed characters include:

            abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_+-|\.,#^)(;

            Please create a lengthy string of at least 64 characters or more.
      -->        
      <setting
        name="Media.RequestProtection.SharedSecret"
        value="YourRandomGeneratedString"/>
    </settings>
  </sitecore>
</configuration>

  3. Save the patch file.

Note

In a multi-server setup, you must use the same value for the Media.RequestProtection.SharedSecret setting on every server. This ensures that dynamic image scaling works correctly in situations where one server generates the image URL and another handles the request.

If you have suggestions for improving this article, let us know!