One of our clients in the company I work for, recently reported an issue with the media URLs generated by Sitecore:
“Security issue found on server by NGINIX security server (Blocked Request 406). The hyphen needs to be removed from: ‘/-/media/setf/logos/header_logo.png’ as it is identified as Traversal Probe”
As you can see, they are using a NGINIX security server in their network to minimize security weaknesses although this is not its main feature. You can find more info about NGINIX in their official documentation.
On the other hand, they are referencing the term “Traversal Probe” at the end of the error message. This, basically means, the site is vulnerable of requests asking for files outside the root directory of the website. For instance, an attacker can request files outside of “c:\inetpub\wwwroot” if this is an IIS server.
I personally don’t think this is possible and a real vulnerability because of IIS latest security measures’ which don’t allow this and other reasons. However, this post is about what you can do to avoid generating these URLs without hyphens if this happens to you.
Hopefully for us, Sitecore has a setting that permits to generate the media URLs in an absolute manner or with its full path.
Open the App_Config\Sitecore.config file and search for “Media.AlwaysIncludeServerUrl” and change the value to “true” and save the file. After Sitecore restarts the application you will be able to see the same file now with its absolute path.
Just take in mind that enabling this setting might produce longs URLs specially if there is a lot of folders in the media content that saves the files.