From da1dcc9dea60d32cdeb329748bcd04a230880259 Mon Sep 17 00:00:00 2001 From: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com> Date: Thu, 15 May 2025 15:51:30 +0200 Subject: [PATCH 01/11] docs: adds section on HMACSecretKey to Imaging Settings --- .../configuration/imagingsettings.md | 72 ++++++++++++++++++- .../configuration/imagingsettings.md | 72 ++++++++++++++++++- .../configuration/imagingsettings.md | 72 ++++++++++++++++++- .../configuration/imagingsettings.md | 72 ++++++++++++++++++- 4 files changed, 280 insertions(+), 8 deletions(-) diff --git a/13/umbraco-cms/reference/configuration/imagingsettings.md b/13/umbraco-cms/reference/configuration/imagingsettings.md index 441608d8c7a..3cc9efe0479 100644 --- a/13/umbraco-cms/reference/configuration/imagingsettings.md +++ b/13/umbraco-cms/reference/configuration/imagingsettings.md @@ -23,7 +23,8 @@ All these settings contain default values, so nothing needs to be explicitly con "Resize": { "MaxWidth": 5000, "MaxHeight": 5000 - } + }, + "HMACSecretKey": "" } } } @@ -31,7 +32,7 @@ All these settings contain default values, so nothing needs to be explicitly con ## Cache -Contains configuration for browser and server caching. +Contains configuration for browser and server caching. When changing these cache headers, it is recommended to clear your media cache. This is due to the data being stored in the cache and not updated when the configuration is changed. ### Browser max age @@ -82,3 +83,70 @@ public class ConfigureImageSharpMiddlewareOptionsComposer : IComposer }); } ``` + +## Hmac secret key + +Specifies the key used to secure image requests by generating a hash-based message authentication code (HMAC). This ensures that only valid requests can access or manipulate images. + +To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the IOptions pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. + +The key must be the same across all environments (development, staging, production) to ensure that image requests work for content published across environments. + +### Default Behavior + +If the `HMACSecretKey` is not set, image requests will not be secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. + +### Key Length + +The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using HMACSHA384 or HMACSHA512, you may want to use a longer key (e.g., 128 bytes). + +### Example Configuration + +**Appsettings.json** +```json +"Umbraco": { + "CMS": { + "Imaging": { + "HMACSecretKey": "some-base64-encoded-key" + } + } +} +``` + +**Using the IOptions pattern** + +If you prefer to generate the `HMACSecretKey` programmatically or want to avoid hardcoding it in your configuration files, you can use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: + +```csharp +using System.Security.Cryptography; +using Umbraco.Cms.Core.Composing; +using Umbraco.Cms.Core.Configuration.Models; + +public class HMACSecretKeyComposer : IComposer +{ + public void Compose(IUmbracoBuilder builder) + => builder.Services.Configure(options => + { + if (options.HMACSecretKey.Length == 0) + { + byte[] secret = new byte[64]; // Change to 128 when using HMACSHA384 or HMACSHA512 + RandomNumberGenerator.Create().GetBytes(secret); + options.HMACSecretKey = secret; + + var logger = builder.BuilderLoggerFactory.CreateLogger(); + logger.LogInformation("Imaging settings is now using HMACSecretKey: {HMACSecretKey}", Convert.ToBase64String(secret)); + } + }); +} +``` + +{% hint style="warning" %} +The HMACSecretKey should be kept secret and never exposed publicly. If the key is leaked, malicious users could generate valid HMACs and abuse your server resources. +{% endhint %} + +### Testing the Configuration + +To verify that your `HMACSecretKey` is working correctly: +1. Configure the key in your `appsettings.json` or using the `IOptions` pattern. +2. Make a request to an image URL with valid parameters and ensure it works as expected. +3. Modify the URL parameters or remove the HMAC signature and confirm that the request is rejected. diff --git a/14/umbraco-cms/reference/configuration/imagingsettings.md b/14/umbraco-cms/reference/configuration/imagingsettings.md index 441608d8c7a..3cc9efe0479 100644 --- a/14/umbraco-cms/reference/configuration/imagingsettings.md +++ b/14/umbraco-cms/reference/configuration/imagingsettings.md @@ -23,7 +23,8 @@ All these settings contain default values, so nothing needs to be explicitly con "Resize": { "MaxWidth": 5000, "MaxHeight": 5000 - } + }, + "HMACSecretKey": "" } } } @@ -31,7 +32,7 @@ All these settings contain default values, so nothing needs to be explicitly con ## Cache -Contains configuration for browser and server caching. +Contains configuration for browser and server caching. When changing these cache headers, it is recommended to clear your media cache. This is due to the data being stored in the cache and not updated when the configuration is changed. ### Browser max age @@ -82,3 +83,70 @@ public class ConfigureImageSharpMiddlewareOptionsComposer : IComposer }); } ``` + +## Hmac secret key + +Specifies the key used to secure image requests by generating a hash-based message authentication code (HMAC). This ensures that only valid requests can access or manipulate images. + +To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the IOptions pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. + +The key must be the same across all environments (development, staging, production) to ensure that image requests work for content published across environments. + +### Default Behavior + +If the `HMACSecretKey` is not set, image requests will not be secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. + +### Key Length + +The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using HMACSHA384 or HMACSHA512, you may want to use a longer key (e.g., 128 bytes). + +### Example Configuration + +**Appsettings.json** +```json +"Umbraco": { + "CMS": { + "Imaging": { + "HMACSecretKey": "some-base64-encoded-key" + } + } +} +``` + +**Using the IOptions pattern** + +If you prefer to generate the `HMACSecretKey` programmatically or want to avoid hardcoding it in your configuration files, you can use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: + +```csharp +using System.Security.Cryptography; +using Umbraco.Cms.Core.Composing; +using Umbraco.Cms.Core.Configuration.Models; + +public class HMACSecretKeyComposer : IComposer +{ + public void Compose(IUmbracoBuilder builder) + => builder.Services.Configure(options => + { + if (options.HMACSecretKey.Length == 0) + { + byte[] secret = new byte[64]; // Change to 128 when using HMACSHA384 or HMACSHA512 + RandomNumberGenerator.Create().GetBytes(secret); + options.HMACSecretKey = secret; + + var logger = builder.BuilderLoggerFactory.CreateLogger(); + logger.LogInformation("Imaging settings is now using HMACSecretKey: {HMACSecretKey}", Convert.ToBase64String(secret)); + } + }); +} +``` + +{% hint style="warning" %} +The HMACSecretKey should be kept secret and never exposed publicly. If the key is leaked, malicious users could generate valid HMACs and abuse your server resources. +{% endhint %} + +### Testing the Configuration + +To verify that your `HMACSecretKey` is working correctly: +1. Configure the key in your `appsettings.json` or using the `IOptions` pattern. +2. Make a request to an image URL with valid parameters and ensure it works as expected. +3. Modify the URL parameters or remove the HMAC signature and confirm that the request is rejected. diff --git a/15/umbraco-cms/reference/configuration/imagingsettings.md b/15/umbraco-cms/reference/configuration/imagingsettings.md index 441608d8c7a..3cc9efe0479 100644 --- a/15/umbraco-cms/reference/configuration/imagingsettings.md +++ b/15/umbraco-cms/reference/configuration/imagingsettings.md @@ -23,7 +23,8 @@ All these settings contain default values, so nothing needs to be explicitly con "Resize": { "MaxWidth": 5000, "MaxHeight": 5000 - } + }, + "HMACSecretKey": "" } } } @@ -31,7 +32,7 @@ All these settings contain default values, so nothing needs to be explicitly con ## Cache -Contains configuration for browser and server caching. +Contains configuration for browser and server caching. When changing these cache headers, it is recommended to clear your media cache. This is due to the data being stored in the cache and not updated when the configuration is changed. ### Browser max age @@ -82,3 +83,70 @@ public class ConfigureImageSharpMiddlewareOptionsComposer : IComposer }); } ``` + +## Hmac secret key + +Specifies the key used to secure image requests by generating a hash-based message authentication code (HMAC). This ensures that only valid requests can access or manipulate images. + +To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the IOptions pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. + +The key must be the same across all environments (development, staging, production) to ensure that image requests work for content published across environments. + +### Default Behavior + +If the `HMACSecretKey` is not set, image requests will not be secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. + +### Key Length + +The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using HMACSHA384 or HMACSHA512, you may want to use a longer key (e.g., 128 bytes). + +### Example Configuration + +**Appsettings.json** +```json +"Umbraco": { + "CMS": { + "Imaging": { + "HMACSecretKey": "some-base64-encoded-key" + } + } +} +``` + +**Using the IOptions pattern** + +If you prefer to generate the `HMACSecretKey` programmatically or want to avoid hardcoding it in your configuration files, you can use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: + +```csharp +using System.Security.Cryptography; +using Umbraco.Cms.Core.Composing; +using Umbraco.Cms.Core.Configuration.Models; + +public class HMACSecretKeyComposer : IComposer +{ + public void Compose(IUmbracoBuilder builder) + => builder.Services.Configure(options => + { + if (options.HMACSecretKey.Length == 0) + { + byte[] secret = new byte[64]; // Change to 128 when using HMACSHA384 or HMACSHA512 + RandomNumberGenerator.Create().GetBytes(secret); + options.HMACSecretKey = secret; + + var logger = builder.BuilderLoggerFactory.CreateLogger(); + logger.LogInformation("Imaging settings is now using HMACSecretKey: {HMACSecretKey}", Convert.ToBase64String(secret)); + } + }); +} +``` + +{% hint style="warning" %} +The HMACSecretKey should be kept secret and never exposed publicly. If the key is leaked, malicious users could generate valid HMACs and abuse your server resources. +{% endhint %} + +### Testing the Configuration + +To verify that your `HMACSecretKey` is working correctly: +1. Configure the key in your `appsettings.json` or using the `IOptions` pattern. +2. Make a request to an image URL with valid parameters and ensure it works as expected. +3. Modify the URL parameters or remove the HMAC signature and confirm that the request is rejected. diff --git a/16/umbraco-cms/reference/configuration/imagingsettings.md b/16/umbraco-cms/reference/configuration/imagingsettings.md index 441608d8c7a..3cc9efe0479 100644 --- a/16/umbraco-cms/reference/configuration/imagingsettings.md +++ b/16/umbraco-cms/reference/configuration/imagingsettings.md @@ -23,7 +23,8 @@ All these settings contain default values, so nothing needs to be explicitly con "Resize": { "MaxWidth": 5000, "MaxHeight": 5000 - } + }, + "HMACSecretKey": "" } } } @@ -31,7 +32,7 @@ All these settings contain default values, so nothing needs to be explicitly con ## Cache -Contains configuration for browser and server caching. +Contains configuration for browser and server caching. When changing these cache headers, it is recommended to clear your media cache. This is due to the data being stored in the cache and not updated when the configuration is changed. ### Browser max age @@ -82,3 +83,70 @@ public class ConfigureImageSharpMiddlewareOptionsComposer : IComposer }); } ``` + +## Hmac secret key + +Specifies the key used to secure image requests by generating a hash-based message authentication code (HMAC). This ensures that only valid requests can access or manipulate images. + +To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the IOptions pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. + +The key must be the same across all environments (development, staging, production) to ensure that image requests work for content published across environments. + +### Default Behavior + +If the `HMACSecretKey` is not set, image requests will not be secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. + +### Key Length + +The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using HMACSHA384 or HMACSHA512, you may want to use a longer key (e.g., 128 bytes). + +### Example Configuration + +**Appsettings.json** +```json +"Umbraco": { + "CMS": { + "Imaging": { + "HMACSecretKey": "some-base64-encoded-key" + } + } +} +``` + +**Using the IOptions pattern** + +If you prefer to generate the `HMACSecretKey` programmatically or want to avoid hardcoding it in your configuration files, you can use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: + +```csharp +using System.Security.Cryptography; +using Umbraco.Cms.Core.Composing; +using Umbraco.Cms.Core.Configuration.Models; + +public class HMACSecretKeyComposer : IComposer +{ + public void Compose(IUmbracoBuilder builder) + => builder.Services.Configure(options => + { + if (options.HMACSecretKey.Length == 0) + { + byte[] secret = new byte[64]; // Change to 128 when using HMACSHA384 or HMACSHA512 + RandomNumberGenerator.Create().GetBytes(secret); + options.HMACSecretKey = secret; + + var logger = builder.BuilderLoggerFactory.CreateLogger(); + logger.LogInformation("Imaging settings is now using HMACSecretKey: {HMACSecretKey}", Convert.ToBase64String(secret)); + } + }); +} +``` + +{% hint style="warning" %} +The HMACSecretKey should be kept secret and never exposed publicly. If the key is leaked, malicious users could generate valid HMACs and abuse your server resources. +{% endhint %} + +### Testing the Configuration + +To verify that your `HMACSecretKey` is working correctly: +1. Configure the key in your `appsettings.json` or using the `IOptions` pattern. +2. Make a request to an image URL with valid parameters and ensure it works as expected. +3. Modify the URL parameters or remove the HMAC signature and confirm that the request is rejected. From b57fbd97de1474f3444c65bb344a0154f0c9e7bb Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Fri, 16 May 2025 08:55:44 +0200 Subject: [PATCH 02/11] Update 13/umbraco-cms/reference/configuration/imagingsettings.md --- 13/umbraco-cms/reference/configuration/imagingsettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/13/umbraco-cms/reference/configuration/imagingsettings.md b/13/umbraco-cms/reference/configuration/imagingsettings.md index 3cc9efe0479..2089cd677fc 100644 --- a/13/umbraco-cms/reference/configuration/imagingsettings.md +++ b/13/umbraco-cms/reference/configuration/imagingsettings.md @@ -84,7 +84,7 @@ public class ConfigureImageSharpMiddlewareOptionsComposer : IComposer } ``` -## Hmac secret key +## HMAC secret key Specifies the key used to secure image requests by generating a hash-based message authentication code (HMAC). This ensures that only valid requests can access or manipulate images. From a9026aec6c6e614093e4315c44788145ad8f3f36 Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Fri, 16 May 2025 08:55:52 +0200 Subject: [PATCH 03/11] Update 13/umbraco-cms/reference/configuration/imagingsettings.md --- 13/umbraco-cms/reference/configuration/imagingsettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/13/umbraco-cms/reference/configuration/imagingsettings.md b/13/umbraco-cms/reference/configuration/imagingsettings.md index 2089cd677fc..478b739e3c9 100644 --- a/13/umbraco-cms/reference/configuration/imagingsettings.md +++ b/13/umbraco-cms/reference/configuration/imagingsettings.md @@ -88,7 +88,7 @@ public class ConfigureImageSharpMiddlewareOptionsComposer : IComposer Specifies the key used to secure image requests by generating a hash-based message authentication code (HMAC). This ensures that only valid requests can access or manipulate images. -To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the IOptions pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. +To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the `IOptions` pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. The key must be the same across all environments (development, staging, production) to ensure that image requests work for content published across environments. From ee34611fa7c318a59abdea05bc3f363402ce5783 Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Fri, 16 May 2025 08:56:06 +0200 Subject: [PATCH 04/11] Update 13/umbraco-cms/reference/configuration/imagingsettings.md --- 13/umbraco-cms/reference/configuration/imagingsettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/13/umbraco-cms/reference/configuration/imagingsettings.md b/13/umbraco-cms/reference/configuration/imagingsettings.md index 478b739e3c9..2ee01767a05 100644 --- a/13/umbraco-cms/reference/configuration/imagingsettings.md +++ b/13/umbraco-cms/reference/configuration/imagingsettings.md @@ -94,7 +94,7 @@ The key must be the same across all environments (development, staging, producti ### Default Behavior -If the `HMACSecretKey` is not set, image requests will not be secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. +If the `HMACSecretKey` is not set, image requests are not secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. ### Key Length From 1020205153d1de058d1d0073030ceaf49bf0f54d Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Fri, 16 May 2025 08:56:13 +0200 Subject: [PATCH 05/11] Update 13/umbraco-cms/reference/configuration/imagingsettings.md --- 13/umbraco-cms/reference/configuration/imagingsettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/13/umbraco-cms/reference/configuration/imagingsettings.md b/13/umbraco-cms/reference/configuration/imagingsettings.md index 2ee01767a05..10332f4f96e 100644 --- a/13/umbraco-cms/reference/configuration/imagingsettings.md +++ b/13/umbraco-cms/reference/configuration/imagingsettings.md @@ -98,7 +98,7 @@ If the `HMACSecretKey` is not set, image requests are not secured, and any perso ### Key Length -The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using HMACSHA384 or HMACSHA512, you may want to use a longer key (e.g., 128 bytes). +The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using `HMACSHA384` or `HMACSHA512`, you may want to use a longer key (for example: 128 bytes). ### Example Configuration From ea74cfdf437969514698e1b1290d5f0bd78a7d39 Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Fri, 16 May 2025 08:56:19 +0200 Subject: [PATCH 06/11] Update 13/umbraco-cms/reference/configuration/imagingsettings.md --- 13/umbraco-cms/reference/configuration/imagingsettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/13/umbraco-cms/reference/configuration/imagingsettings.md b/13/umbraco-cms/reference/configuration/imagingsettings.md index 10332f4f96e..64cd9450867 100644 --- a/13/umbraco-cms/reference/configuration/imagingsettings.md +++ b/13/umbraco-cms/reference/configuration/imagingsettings.md @@ -102,7 +102,7 @@ The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byt ### Example Configuration -**Appsettings.json** +**appsettings.json** ```json "Umbraco": { "CMS": { From 64b1ba9a1dab1b18b72baee3321afb864111cb4f Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Fri, 16 May 2025 08:56:25 +0200 Subject: [PATCH 07/11] Update 13/umbraco-cms/reference/configuration/imagingsettings.md --- 13/umbraco-cms/reference/configuration/imagingsettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/13/umbraco-cms/reference/configuration/imagingsettings.md b/13/umbraco-cms/reference/configuration/imagingsettings.md index 64cd9450867..52140791fb2 100644 --- a/13/umbraco-cms/reference/configuration/imagingsettings.md +++ b/13/umbraco-cms/reference/configuration/imagingsettings.md @@ -113,7 +113,7 @@ The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byt } ``` -**Using the IOptions pattern** +**Using the `IOptions` pattern** If you prefer to generate the `HMACSecretKey` programmatically or want to avoid hardcoding it in your configuration files, you can use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: From c483ced622bb1dbc4174815926d2ab4b4c0598fe Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Fri, 16 May 2025 08:56:31 +0200 Subject: [PATCH 08/11] Update 13/umbraco-cms/reference/configuration/imagingsettings.md --- 13/umbraco-cms/reference/configuration/imagingsettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/13/umbraco-cms/reference/configuration/imagingsettings.md b/13/umbraco-cms/reference/configuration/imagingsettings.md index 52140791fb2..a1309acac6e 100644 --- a/13/umbraco-cms/reference/configuration/imagingsettings.md +++ b/13/umbraco-cms/reference/configuration/imagingsettings.md @@ -115,7 +115,7 @@ The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byt **Using the `IOptions` pattern** -If you prefer to generate the `HMACSecretKey` programmatically or want to avoid hardcoding it in your configuration files, you can use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: +To generate the `HMACSecretKey` programmatically instead of hardcoding it in configuration files, use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: ```csharp using System.Security.Cryptography; From 20396771dd332fa74c2a06fc319c0a2d0c08e845 Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Fri, 16 May 2025 08:56:44 +0200 Subject: [PATCH 09/11] Update 13/umbraco-cms/reference/configuration/imagingsettings.md --- 13/umbraco-cms/reference/configuration/imagingsettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/13/umbraco-cms/reference/configuration/imagingsettings.md b/13/umbraco-cms/reference/configuration/imagingsettings.md index a1309acac6e..795af1e379d 100644 --- a/13/umbraco-cms/reference/configuration/imagingsettings.md +++ b/13/umbraco-cms/reference/configuration/imagingsettings.md @@ -141,7 +141,7 @@ public class HMACSecretKeyComposer : IComposer ``` {% hint style="warning" %} -The HMACSecretKey should be kept secret and never exposed publicly. If the key is leaked, malicious users could generate valid HMACs and abuse your server resources. +The `HMACSecretKey` must be kept secret and never exposed publicly. If the key is exposed, malicious users may generate valid HMACs and exploit server resources. {% endhint %} ### Testing the Configuration From 3841b389fb88cf5c18e1084c7b14400458880656 Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Fri, 16 May 2025 08:56:50 +0200 Subject: [PATCH 10/11] Update 13/umbraco-cms/reference/configuration/imagingsettings.md --- 13/umbraco-cms/reference/configuration/imagingsettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/13/umbraco-cms/reference/configuration/imagingsettings.md b/13/umbraco-cms/reference/configuration/imagingsettings.md index 795af1e379d..c71494d3f37 100644 --- a/13/umbraco-cms/reference/configuration/imagingsettings.md +++ b/13/umbraco-cms/reference/configuration/imagingsettings.md @@ -147,6 +147,6 @@ The `HMACSecretKey` must be kept secret and never exposed publicly. If the key i ### Testing the Configuration To verify that your `HMACSecretKey` is working correctly: -1. Configure the key in your `appsettings.json` or using the `IOptions` pattern. +1. Set the `HMACSecretKey` key in the `appsettings.json` file or via the `IOptions` pattern. 2. Make a request to an image URL with valid parameters and ensure it works as expected. 3. Modify the URL parameters or remove the HMAC signature and confirm that the request is rejected. From f783ef55ddc814f7b3888854dfd887684f98b7c9 Mon Sep 17 00:00:00 2001 From: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com> Date: Fri, 16 May 2025 09:05:33 +0200 Subject: [PATCH 11/11] docs: transfer v13 article to newer versions --- .../reference/configuration/imagingsettings.md | 18 +++++++++--------- .../reference/configuration/imagingsettings.md | 18 +++++++++--------- .../reference/configuration/imagingsettings.md | 18 +++++++++--------- 3 files changed, 27 insertions(+), 27 deletions(-) diff --git a/14/umbraco-cms/reference/configuration/imagingsettings.md b/14/umbraco-cms/reference/configuration/imagingsettings.md index 3cc9efe0479..c71494d3f37 100644 --- a/14/umbraco-cms/reference/configuration/imagingsettings.md +++ b/14/umbraco-cms/reference/configuration/imagingsettings.md @@ -84,25 +84,25 @@ public class ConfigureImageSharpMiddlewareOptionsComposer : IComposer } ``` -## Hmac secret key +## HMAC secret key Specifies the key used to secure image requests by generating a hash-based message authentication code (HMAC). This ensures that only valid requests can access or manipulate images. -To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the IOptions pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. +To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the `IOptions` pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. The key must be the same across all environments (development, staging, production) to ensure that image requests work for content published across environments. ### Default Behavior -If the `HMACSecretKey` is not set, image requests will not be secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. +If the `HMACSecretKey` is not set, image requests are not secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. ### Key Length -The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using HMACSHA384 or HMACSHA512, you may want to use a longer key (e.g., 128 bytes). +The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using `HMACSHA384` or `HMACSHA512`, you may want to use a longer key (for example: 128 bytes). ### Example Configuration -**Appsettings.json** +**appsettings.json** ```json "Umbraco": { "CMS": { @@ -113,9 +113,9 @@ The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byt } ``` -**Using the IOptions pattern** +**Using the `IOptions` pattern** -If you prefer to generate the `HMACSecretKey` programmatically or want to avoid hardcoding it in your configuration files, you can use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: +To generate the `HMACSecretKey` programmatically instead of hardcoding it in configuration files, use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: ```csharp using System.Security.Cryptography; @@ -141,12 +141,12 @@ public class HMACSecretKeyComposer : IComposer ``` {% hint style="warning" %} -The HMACSecretKey should be kept secret and never exposed publicly. If the key is leaked, malicious users could generate valid HMACs and abuse your server resources. +The `HMACSecretKey` must be kept secret and never exposed publicly. If the key is exposed, malicious users may generate valid HMACs and exploit server resources. {% endhint %} ### Testing the Configuration To verify that your `HMACSecretKey` is working correctly: -1. Configure the key in your `appsettings.json` or using the `IOptions` pattern. +1. Set the `HMACSecretKey` key in the `appsettings.json` file or via the `IOptions` pattern. 2. Make a request to an image URL with valid parameters and ensure it works as expected. 3. Modify the URL parameters or remove the HMAC signature and confirm that the request is rejected. diff --git a/15/umbraco-cms/reference/configuration/imagingsettings.md b/15/umbraco-cms/reference/configuration/imagingsettings.md index 3cc9efe0479..c71494d3f37 100644 --- a/15/umbraco-cms/reference/configuration/imagingsettings.md +++ b/15/umbraco-cms/reference/configuration/imagingsettings.md @@ -84,25 +84,25 @@ public class ConfigureImageSharpMiddlewareOptionsComposer : IComposer } ``` -## Hmac secret key +## HMAC secret key Specifies the key used to secure image requests by generating a hash-based message authentication code (HMAC). This ensures that only valid requests can access or manipulate images. -To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the IOptions pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. +To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the `IOptions` pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. The key must be the same across all environments (development, staging, production) to ensure that image requests work for content published across environments. ### Default Behavior -If the `HMACSecretKey` is not set, image requests will not be secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. +If the `HMACSecretKey` is not set, image requests are not secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. ### Key Length -The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using HMACSHA384 or HMACSHA512, you may want to use a longer key (e.g., 128 bytes). +The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using `HMACSHA384` or `HMACSHA512`, you may want to use a longer key (for example: 128 bytes). ### Example Configuration -**Appsettings.json** +**appsettings.json** ```json "Umbraco": { "CMS": { @@ -113,9 +113,9 @@ The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byt } ``` -**Using the IOptions pattern** +**Using the `IOptions` pattern** -If you prefer to generate the `HMACSecretKey` programmatically or want to avoid hardcoding it in your configuration files, you can use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: +To generate the `HMACSecretKey` programmatically instead of hardcoding it in configuration files, use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: ```csharp using System.Security.Cryptography; @@ -141,12 +141,12 @@ public class HMACSecretKeyComposer : IComposer ``` {% hint style="warning" %} -The HMACSecretKey should be kept secret and never exposed publicly. If the key is leaked, malicious users could generate valid HMACs and abuse your server resources. +The `HMACSecretKey` must be kept secret and never exposed publicly. If the key is exposed, malicious users may generate valid HMACs and exploit server resources. {% endhint %} ### Testing the Configuration To verify that your `HMACSecretKey` is working correctly: -1. Configure the key in your `appsettings.json` or using the `IOptions` pattern. +1. Set the `HMACSecretKey` key in the `appsettings.json` file or via the `IOptions` pattern. 2. Make a request to an image URL with valid parameters and ensure it works as expected. 3. Modify the URL parameters or remove the HMAC signature and confirm that the request is rejected. diff --git a/16/umbraco-cms/reference/configuration/imagingsettings.md b/16/umbraco-cms/reference/configuration/imagingsettings.md index 3cc9efe0479..c71494d3f37 100644 --- a/16/umbraco-cms/reference/configuration/imagingsettings.md +++ b/16/umbraco-cms/reference/configuration/imagingsettings.md @@ -84,25 +84,25 @@ public class ConfigureImageSharpMiddlewareOptionsComposer : IComposer } ``` -## Hmac secret key +## HMAC secret key Specifies the key used to secure image requests by generating a hash-based message authentication code (HMAC). This ensures that only valid requests can access or manipulate images. -To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the IOptions pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. +To enable it, you need to set a secure random key. This key should be kept secret and not shared publicly. The key can be set through the `IOptions` pattern, or you can insert a base64 encoded key in the `appsettings.json` file. The key should ideally be 64 bytes long. The key must be the same across all environments (development, staging, production) to ensure that image requests work for content published across environments. ### Default Behavior -If the `HMACSecretKey` is not set, image requests will not be secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. +If the `HMACSecretKey` is not set, image requests are not secured, and any person can request images with any parameters. This may expose your server to abuse, such as excessive resizing requests or unauthorized access to images. ### Key Length -The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using HMACSHA384 or HMACSHA512, you may want to use a longer key (e.g., 128 bytes). +The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byte (512-bit) key is recommended. If you are using `HMACSHA384` or `HMACSHA512`, you may want to use a longer key (for example: 128 bytes). ### Example Configuration -**Appsettings.json** +**appsettings.json** ```json "Umbraco": { "CMS": { @@ -113,9 +113,9 @@ The `HMACSecretKey` should be a secure, random key. For most use cases, a 64-byt } ``` -**Using the IOptions pattern** +**Using the `IOptions` pattern** -If you prefer to generate the `HMACSecretKey` programmatically or want to avoid hardcoding it in your configuration files, you can use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: +To generate the `HMACSecretKey` programmatically instead of hardcoding it in configuration files, use the `IOptions` pattern. The following example demonstrates how to generate a secure random key at runtime: ```csharp using System.Security.Cryptography; @@ -141,12 +141,12 @@ public class HMACSecretKeyComposer : IComposer ``` {% hint style="warning" %} -The HMACSecretKey should be kept secret and never exposed publicly. If the key is leaked, malicious users could generate valid HMACs and abuse your server resources. +The `HMACSecretKey` must be kept secret and never exposed publicly. If the key is exposed, malicious users may generate valid HMACs and exploit server resources. {% endhint %} ### Testing the Configuration To verify that your `HMACSecretKey` is working correctly: -1. Configure the key in your `appsettings.json` or using the `IOptions` pattern. +1. Set the `HMACSecretKey` key in the `appsettings.json` file or via the `IOptions` pattern. 2. Make a request to an image URL with valid parameters and ensure it works as expected. 3. Modify the URL parameters or remove the HMAC signature and confirm that the request is rejected.