How to grant/limit access on Images sub folders for each Customer?

I have the following structure inside my wwwroot/images:
-----------------------Each costumers has his own folder name.
Each folder has an image which only the customer might have access.
The problem is: If some user types the address of other user's image, it will open.
I'm trying to restrict the access of each folder using the table Company from the data base.
I could do it on MVC 5 using location path on web config.
But how could I do it in appsettings.json on .NET Core?
OBS: If you have any other approach for this, will be welcome :D

The Static File Middleware doesn't provide authorization checks. Any files served by it, including those under wwwroot, are publicly accessible. To serve files based on authorization, you could refer Static file authorization.
For another option, you may consider implement a custom middleware check the identity like
app.Map("/specificpath", subApp => {
subApp.Use(async (context, next) =>
if (!context.User.Identity.IsAuthenticated)
context.Response.StatusCode = StatusCodes.Status401Unauthorized;
else if(context.Request.Path.StartsWithSegments("/specificpath/User1") && context.User.Identity.Name != "User1")
context.Response.StatusCode = StatusCodes.Status401Unauthorized;


Check if request is made to Razor Page

How can I check within middleware code if current request is made to Razor Page not to any other resource (static file, or API)?
All my APIs are located within api folder, so if (!context.Request.Path.StartsWithSegments("/api")) {} filters out APIs, but that will not work for static content as these files and libraries are placed within number of folders what results in number of URL segments.
Could not find any relevant property in context.
First step - place the middleware after app.UseRouting(). Any request for a static file will never reach your middleware because the static files middleware will short circuit the request. Also, after this point, the routing middleware will have selected the endpoint and populated the endpoint metadata. Then you can test the endpoint metadata collection to see if it includes PageRouteMetaData, which tells you that this is a Razor page route:
app.Use((context, next) => {
var endpoint = context.GetEndpoint();
if (endpoint != null)
foreach(var md in endpoint.Metadata)
if( md is PageRouteMetadata)
// this is a page route
return next(context);

How to create resource file in ASP.NET Core

I use ASP.NET Core. I want to "embbed" text file into application and use it during seeding DataContext only. I don't want anyone to access this file.
As far as I know, if you don't put this text file into the wwwroot folder and don't use the Directory browsing for the whole application, that means no one could access the root path' file.
If you still don't want to let anyone access it trough the http or https. You could write a custom middleware to check the request path, if this path contains the .txt, you could return the access denied response.
More details, you could refer to below codes:
app.Use(async (context, next) => {
if (context.Request.Path.Value.Contains(".txt"))
await context.Response.WriteAsync(
$"Acess Denied");
await next();
} );

Protecting static files with Authorization Middleware using IdentityServer4

I have a IS4 set up and most of the clients that use it get their pictures from a simple ASP.NET Core API. There is one method for adding pictures that go to wwwroot. I noticed that, while unauthorized users can't add new pictures, anyone can access the pictures if they know the URL. After a quick search, i found out that i need a middleware to protect static files, so i shamelessly used sir Alan's code from here. After modifying it for ASP.NET Core (unsure if i did it correctly), i couldn't get authorized from any of the clients (I would get a 401 response, so at least that works correctly).
Here are the services added:
.AddIdentityServerAuthentication(options =>
options.Authority = "http://some.url";
options.ApiName = "SomeAPI";
options.RequireHttpsMetadata = false;
services.AddAuthorization(options =>
options.AddPolicy("Authenticated", policy => policy.RequireAuthenticatedUser());
And the Invoke method from ProtectFolder, that i modifyied:
public async Task Invoke(HttpContext httpContext,
IAuthorizationService authorizationService,
IAuthenticationService authenticationService)
if (httpContext.Request.Path.StartsWithSegments(_path))
var authenticated = await authenticationService.AuthenticateAsync(httpContext,
var authorized = await authorizationService.AuthorizeAsync(httpContext.User, null, _policyName);
if (!authorized.Succeeded)
await authenticationService.ChallengeAsync(httpContext,
IdentityServerAuthenticationDefaults.AuthenticationScheme, authenticated.Properties);
await _next(httpContext);
So i managed to protect the files, but now I can't access them either. Since I'm using IS4 I'm pretty sure I need to use the token for authorization, but I'm unsure how.
I checked this answer and put UseAuthentication above UseProtectFolder and UseStaticFiles, but I still get a 401 response. I also checked this answer, but I'm unsure if it will help, since I'm not using the controller to get the files.

.NET Core serving HTML file outside wwwroot can't load JS files

I am experimenting with different ways to secure an Angular CLI app with .NET Core Authorization.
To make it as secure as possible, I would like to keep all of the Angular CLI output files from being publicly available and keep them in the default "dist" folder preconfigured by the CLI.
I can load the index.html from an authorized controller by returning a PhysicalFileResult...
public IActionResult Index()
return PhysicalFile(Path.Combine(Directory.GetCurrentDirectory(), "dist", "index.html"),"text/HTML");
But I get 404s on all of the bundle.js files when the page loads.
Is it possible to serve the app this way without involving the static file middleware or making the files publicly available (preferably without having to manually change the src for each bundled js file in index.html)?
Take a look at this article from the core docs (excerpt included below):
Just place your authorization middleware before the static one.
// has to be first so user gets authenticated before the static middleware is called
app.Use(async (context, next) =>
// for pathes which begin with "app" check if user is logged in
if(context.Request.Path.StartsWith("app") && httpContext.User==null)
// return "Unauthorized"
context.Response.StatusCode = 401;
// If user is logged in, call next middleware
await next.Invoke();

How to cache static content using ASP.NET 5 and MVC 6?

This was previously achieved by adding some configuration to the web.config file, but now this file is to be extinguished.
I was expecting to find some methods or properties in the middleware declaration, but I haven't found:
So, which is now the procedure to cache static content as images, scripts, etc.?
Is there another middleware to do this or is this feature not implemented yet in MVC 6?
I'm looking for a way to add the cache-control, expires, etc. headers to the static content.
It is all about Middleware with AspNet Core;
Add the following to your Configure method in the Startup.cs file
app.Use(async (context, next) =>
context.Response.Headers.Add("Content-encoding", "gzip");
context.Response.Body = new System.IO.Compression.GZipStream(context.Response.Body,
await next();
await context.Response.Body.FlushAsync();
By the way for caching you would add this to the ConfigureServices method
services.AddMvc(options =>
new CacheProfile()
Duration = 60
new CacheProfile()
Location = ResponseCacheLocation.None,
NoStore = true
And decorate the control with
[ResponseCache(CacheProfileName = "Default")]
public class HomeController : Controller
Your title says compress, but your question body says cache. I'll assume you mean both.
Minification of css/javascript is already handled by the grunt task runner on publish. Caching and compression outside this seem like something a webserver is more suited to, rather than the application layer, so here's a great article that details the config for nginx to manage caching and compression for kestrel.
If you're using IIS, you can configure caching and compression directly on it, here's a tutorial. Considering the previous versions of MVC configured this functionality in web.config\system.Webserver which basically sets IIS config values, you can likely still use a web.config for the purposes of configuring IIS (only).