Protect media requests
Applies to |
All core roles |
Sitecore Installation Framework |
Media requests are not protected by default. |
Azure Toolkit |
Media requests are not protected by default. |
The media request protection feature restricts media URLs that contain dynamic image-scaling parameters so that only server-generated requests are processed. This ensures that the server only spends resources and disk space on valid image-scaling requests.
You can make your solution even more secure and use the Sitecore media request protection feature optimally if you patch the Sitecore.Media.RequestProtection.config
file.
To optimize the media request protection feature:
-
In the
App_Config\Include\
folder, create a patch file named, for example,MediaRequestProtectionSecret.config
. -
Insert the following code:
RequestResponse<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/"> <sitecore> <settings> <!-- MEDIA - REQUEST PROTECTION - SHARED SECRET Specifies the shared secret to use as a salt when generating hash values. You should change the shared secret to a random string and not use the default value. In a multi-instance setup, use the same value for Media.RequestProtection.SharedSecret on every instance. Otherwise, dynamic image signing will not work correctly if the image URL is generated by one instance and the request is handled by a different instance. Allowed characters include: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_+-|\.,#^)(; Please create a lengthy string of at least 64 characters or more. --> <setting name="Media.RequestProtection.SharedSecret" value="YourRandomGeneratedString"/> </settings> </sitecore> </configuration>
-
Save the patch file.
In a multi-server setup, you must use the same value for the Media.RequestProtection.SharedSecret
setting on every server. This ensures that dynamic image scaling works correctly in situations where one server generates the image URL and another handles the request.