Announcing ImageSharp.Web 2.0.0

ImageSharp.Web 2 - Smarter and More Secure!

We are very excited to announce the release of ImageSharp.Web 2.0.0 final. You can download it today.

We've been putting this release together for a while but it's been well worth the wait. This is a MASSIVE release with some fantastic improvements.

What's new since V1 #

Some major features!

  • WebP support - People have been after this for a while! We provide comprehensive support for decoding and encoding WebP images.
  • EXIF orientation support - Automatic handling of the different orientation options to ensure processing always operates on the expected dimensions.
  • Amazon S3 support - Comprehensive support for providing and caching images with Amazon S3.
  • HMAC processing protection - Image requests can now be protected by Hash-based Message Authentication Codes to prevent DDOS attacks.

Breaking Changes #

  • We've replaced generic dictionary for commands with specialized collection type throughout the public API.
  • We've add a CacheFolderDepth option to create shorter cached file names. We've included a V1 Legacy implementation to avoid breaking caching for existing users.
  • We've decoupled the default PhysicalFileSystemProvider from WebRootFileProvider and introduced a new WebRootImageProvider to allow duplicating legacy behavior.

Read the release notes for detailed release information.

API documentation is available in our Docs site.

EXIF Orientation Support #

Browsers now implement 'image-orientation: from-image' by default. This makes orientation handling
confusing for users who expect images to be resized in accordance to what they observe rather than pure(and correct) methods.

To accommodate this ImageSharp.Web parses the dimensions to use based upon decoded EXIF orientation values. This means that the image is processed in accordance with expectations no matter what orientation the input uses as you can see in the example image below.

EXIF Orientation Support

HMAC Processing Protection #

In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message.

HMAC can provide authentication using a shared secret instead of using digital signatures with asymmetric cryptography. It trades off the need for a complex public key infrastructure by delegating the key exchange to the communicating parties, who are responsible for establishing and using a trusted channel to agree on the key prior to communication.

Any cryptographic hash function, such as SHA-2 or SHA-3, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-X, where X is the hash function used (e.g. HMAC-SHA256 or HMAC-SHA3-512). The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and the size and quality of the key.

HMAC does not encrypt the message. Instead, the message (encrypted or not) must be sent alongside the HMAC hash. Parties with the secret key will hash the message again themselves, and if it is authentic, the received and computed hashes will match.

With ImageSharp.Web it is possible to configure an action to generate an HMAC by setting the ImageSharpMiddlewareOptions.HMACSecretKey property to any byte array value. This triggers checks in the middleware to look for and compare a HMAC hash of the request URL with the hash that is passed alongside the commands.

By default ImageSharp.Web will use a HMAC-SHA256 algorithm.

private Func<ImageCommandContext, byte[], Task<string>> onComputeHMACAsync = (context, secret) =>
    string uri = CaseHandlingUriBuilder.BuildRelative(

    return Task.FromResult(HMACUtilities.ComputeHMACSHA256(uri, secret));

Users can replicate that key using the same CaseHandlingUriBuilder and HMACUtilities APIs to generate the HMAC hash on the client. The hash must be passed via a command using the HMACUtilities.TokenCommand constant.

Any invalid matches are rejected at the very start of the processing pipeline with a 400 HttpResponse code.

The Future #

We'll be focussing very heavily on SixLabors.ImageSharp.Drawing and SixLabors.Fonts now to bring them up to Release Candidate status.

Following that we'll start looking towards V3 where the focus will be on adopting the latest .NET runtimes and bringing high performance on as many platforms as possible.

ImageSharp.Web V2 is released under dual licenses:

Closing #

Thanks again for all the feedback and usage. It's been a pleasure to build ImageSharp.Web so far and to see so many people try it out; we really appreciate it. Please continue exploring the product and learning what it’s capable of.