How to prevent a file from direct URL Access?
https://stackoverflow.com/questions/10236717
-
01-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm using Apache and I have a sample web folder on my Local Host, like:
http://localhost/test/
Files in the test folder:
index.html
sample.jpg
.htaccess
Sample source of index.html:
<html>
<body>
<img src="sample.jpg" />
</body>
</html>
When I run the website at http://localhost/test/, it will simply show the image `sample.jpg' on the page.
Problem:
- I want to prevent the image showing as
http://localhost/test/sample.jpgdirectly in the url bar.
Note: I found that the solutions below work when tested on every browser except Firefox.
Solution
Try the following:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]
Returns 403, if you access images directly, but allows them to be displayed on site.
Note: It is possible that when you open some page with image and then copy that image's path into the address bar you can see that image, it is only because of the browser's cache, in fact that image has not been loaded from the server (from Davo, full comment below).
OTHER TIPS
rosipov's rule works great!
I use it on live sites to display a blank or special message ;) in place of a direct access attempt to files I'd rather to protect a bit from direct view. I think it's more fun than a 403 Forbidden.
So taking rosipov's rule to redirect any direct request to {gif,jpg,js,txt} files to 'messageforcurious' :
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.ltd [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.ltd.*$ [NC]
RewriteRule \.(gif|jpg|js|txt)$ /messageforcurious [L]
I see it as a polite way to disallow direct acces to, say, a CMS sensible files like xml, javascript... with security in mind: To all these bots scrawling the web nowadays, I wonder what their algo will make from my 'messageforcurious'.
Based on your comments looks like this is what you need:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost/ [NC]
RewriteRule \.(jpe?g|gif|bmp|png)$ - [F,NC]
I have tested it on my localhost and it seems to be working fine.
First of all, find where the main apache’s config file httpd.conf is located. If you use Debian, it should be here: /etc/apache/httpd.conf. Using some file editor like Vim or Nano open this file and find the line that looks as follows:
Options Includes Indexes FollowSymLinks MultiViews
then remove word Indexes and save the file. The line should look like this one:
Options Includes FollowSymLinks MultiViews
After it is done, restart apache (e.g. /etc/init.d/apache restart in Debian). That’s it!
For me this was the only thing that worked and it worked great:
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@])@@https?://\1/.
RewriteRule .(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ - [F]
found it at: https://simplefilelist.com/how-can-i-prevent-direct-url-access-to-my-files-from-outside-my-website/
When I used it on my Webserver, can I only rename local host, like this:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteCond %{REQUEST_URI} !^http://(www\.)?localhost/(.*)\.(gif|jpg|png|jpeg|mp4)$ [NC]
RewriteRule . - [F]
