how to use Sec-Fetch-Site request header in a condition of IIS Rewrite rule

Question

I want to restrict access to some resources hosted on my IIS web site.

More specifically, I want these resources, such as images or html files, be viewable only within or from a page hosted on exactly the same domain and server. No direct access, not embeddable in other sites, not linkable from other sites.

I want also those files to be dynamically loadable from the site itself using react.js.

For this, I have found that I can check the Sec-Fetch-Site request header must be set to same-origin to accept the request.

So in IIS rewrite rule module, on the specific folder containing these files, I wrote a rewrite rule as HTTP_Sec_Fetch_Site not equal to same-origin, but it does not work.

Please tell me how to write such a rule.

Answer 1

You could try IIS URL rewrite rule to avoid the files not being used by the other origin. The Sec-Fetch-Site header is a relatively recent addition to the HTTP specification and may not be available in all cases, and especially might not be directly accessible in IIS URL Rewrite Module without additional configurations.

 <rule name="test" stopProcessing="true">
      <match url=".*\.(jpg|jpeg|png|gif|bmp|html)$" />
      <conditions>
          <add input="{HTTP_REFERER}" pattern="^$" />
          <add input="{HTTP_REFERER}" pattern="www.sample1.com" />
      </conditions>
      <action type="AbortRequest" />
 </rule>

In the match url you can modify based on your requirement. or you can just put (.*) as a pattern.

Answer 2

I was not using the proper syntax in my rewrite rule.

The solution is to use a rewrite rule such as:

{HTTP_SEC_FETCH_SITE} does not match same-origin

It works fine on IIS 10 from Google Chrome and MS Edge.