is if ($referer != “mysite.com”) not a good way to prevent other sites to hard link my images or swf?
-
06-09-2019 - |
Question
sometimes i see an image not being served when the browser look at www.somesite.com/some_image.jpg -- it will say you need to look at the image from within a page.
(such as when using google's image search and looking at some results)
so i think their server is using something like
# pseudo code
if ($referer not contain "mywebsite.com") then not serve the image / swf
but this probably is not a good way since HTTP_REFERER is not reliable? so some users will end up not seeing the image or swf when referer info is missing?
Solution
or even better if you have access to using a .htaccess file you could do the following:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css|cur|png|jpeg)$ - [F]
or if you are wanting them to see a different image then do the following:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.example.com/angryman.gif [R,L]
OTHER TIPS
It can be reliable, but some firewalls strip it out so you should do
// psuedo code
if ($referer does not contain "example.com" and $referer is set and $referer is not equal to "") then do not serve image
Just as another go, I think it's vastly more fun to casually allow hotlinking-referrers until you get some joker pushing thousands of requests a day (without any real link-throughs). What I've done then is redirect the image to something completely different.
Think Goatse. Only nastier.
It's not perfect, but it's probably better than nothing if it can prevent 80% of the audience, who wouldn't know how to hack referer, from grabbing your image. You should also contain your image folder under a randomly named folders and periodically rename them to prevent direct linking.
I would upgrade that figure to 99.something%. Almost all people won't have proxies that interfere with referrer strings.
But yes, it's trivial to set the referrer with wget
(et al).
Refer header is just text, so it can be forged in the http request. As stated in an earlier comment, your could should take care of the vast majority of folks.
similar to Henri Watson, i was thinking of
# pseudo code
if($referer not empty and $referer not contain "mywebsite.com") then don't serve it.
double checking the 3 cases:
referer empty ==> served
referer not empty and contains "mywebsite.com" ==> served
referer not empty and not contian "mywebsite.com" ==> not served
then the person who is doing the hard link will most likely sees that it doesn't work to link that way and change it right away.