How to use request decompression in ASP.NET Core

ASP.NET Core introduces a new request decompression middleware that automatically decompresses incoming requests. The middleware works by checking the Content-Encoding HTTP header, which indicates the type of compression used, such as Brotli, Gzip, or Deflate. If a matching decompression provider is available, the middleware wraps the request body in the appropriate decompression stream, effectively decompressing the content.

Setting Up a Minimal API Project in ASP.NET Core

To take advantage of request decompression in ASP.NET Core 7, we can create a minimal API.

1. Open Visual Studio 2022 and select “Create a new project.”
2. Choose "ASP.NET Core Web API" from the templates.
3. Configure the project name and location, and ensure that “Use Minimal APIs” is selected.
4. Uncheck the options for Docker, HTTPS, and OpenAPI support, as these are not required for this tutorial.
5. Click Create.

This will generate a minimal Web API project with no controllers.

Enabling Request Decompression Middleware

Once the project is set up, we need to enable request decompression middleware in the Program.cs file.

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddRequestDecompression();
var app = builder.Build();
app.UseRequestDecompression();
app.MapPost("/", (HttpRequest httpRequest) => Results.Stream(httpRequest.Body));
app.Run();

This enables the middleware and maps an endpoint to handle POST requests. The UseRequestDecompression method activates the middleware, allowing it to handle incoming compressed data automatically.

Handling Large Requests and Decompression Bombs

To protect against malicious files like "zip bombs" (highly compressed files that can cause denial-of-service attacks), the decompression middleware imposes a size limit on decompressed content. If the decompressed data exceeds the maximum request body size, an InvalidOperationException is thrown.

Custom Decompression Providers

In some cases, you may need to support custom compression formats. ASP.NET Core allows developers to implement their own decompression providers.

public class CustomDecompressionProvider : IDecompressionProvider
{
    public Stream GetDecompressionStream(Stream stream)
    {
        // Implement custom decompression logic here
        return stream;
    }
}

Once the custom provider is created, it can be registered in the Program.cs file:

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddRequestDecompression(options =>
{
    options.DecompressionProviders.Add("CustomProvider", new CustomDecompressionProvider());
});
var app = builder.Build();
app.UseRequestDecompression();
app.MapPost("/", (HttpRequest request) => Results.Stream(request.Body));
app.Run();

Limitations and Error Handling

If the middleware cannot decompress a request due to an unsupported compression format or multiple compression headers, it will forward the request to the next middleware in the pipeline. In cases where Brotli, GZip, or Deflate are unsupported, the middleware will throw an exception with an appropriate error message.