From a9c68893bd38fa8d36b0d23cae4f3aa7d54af0ab Mon Sep 17 00:00:00 2001
From: Ian Bruyninckx <IBruyn@ferranti.be>
Date: Wed, 25 Mar 2020 10:01:40 +0100
Subject: [PATCH] Update README.md

added section on security considerations
---
 README.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/README.md b/README.md
index 74e849d..4f7a4c9 100644
--- a/README.md
+++ b/README.md
@@ -101,6 +101,38 @@ Below is the usage example for both flows - where access to files from Blob Stor
 
 In case both `ConnectionString` and `Token` are present, connection string is given the preference.
 
+### Security considerations
+
+Please note that the providers hook into the asp.net static file middleware and by default there is no authorization on static files. cfr. https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-3.1#static-file-authorization
+
+However, there is an easy and elegant solution when you want those files to be secured with the default asp.net authorization.
+
+In the example above, the following
+
+```
+            app.UseStaticFiles(new StaticFileOptions()
+            {
+                FileProvider = blobFileProvider,
+                RequestPath = "/files"
+            });
+```
+
+becomes
+
+```
+            app.UseStaticFiles(new StaticFileOptions()
+                {
+                    FileProvider = blobFileProvider,
+                    RequestPath = "/files",
+                    OnPrepareResponse = (context) => {
+                        if (!context.Context.User.Identity.IsAuthenticated)
+                        {
+                            throw new Exception("Not authenticated");
+                        }
+                    }
+                });
+```
+
 ### Current limitations
 
 The watch functionality of the file provider is currently not supported.