Forum Discussion
how to use Sec-Fetch-Site request header in a condition of IIS Rewrite rule
I want to restrict access to some resources hosted on my IIS 10 web site.
More specifically, I want these resources, such as images or html files, be viewable only within or from a page hosted on exactly the same domain and server. No direct access, not embeddable in other sites, not linkable from other sites.
I want also those files to be dynamically loadable from the site itself using react.js.
For this, I have found that I can check the Sec-Fetch-Site request header must be set to same-origin to accept the request.
So in IIS rewrite rule module, on the specific folder containing these files, I wrote a rewrite rule as HTTP_Sec_Fetch_Site not equal to same-origin, but it does not work.
Please tell me how to write such a rule.
1 Reply
I was not using the proper syntax in my rewrite rule.
The solution is to use a rewrite rule such as:
{HTTP_SEC_FETCH_SITE}
does not match
same-origin
It works fine on IIS 10 from Google Chrome and MS Edge.
