http image viewable from inside page, but not direct url

Question

I do not believe this is possible, but I figure there are people out there way smarter than me, so why not check ..

I would like to have an HTTP image that is viewable from within a page when used w/in an img tag, but NOT visible if the img src link is called directly. Does that make sense? Viewable in page, but not if called directly.

Quick edit .. acceptable alternative is to embed image in page in such a way as url is not human readable / able to be extracted and typed into browser.

Update 2 ... .NET IIS7 env.

Answer 1

I believe that you can achieve something like this by relying on the referrer header supplied by the browser - when the referrer is a web page on your own site, you serve up the image, but not otherwise.

It's not 100% reliable (as passing the referrer isn't mandatory in the HTTP spec) but works well enough for some sites.

This is achieved through configuration of your webserver; you therefore might have more luck asking this on ServerFault.

Answer 2

Yes, there are lots of articles on how to setup mod_rewrite rules in apache to try and prevent direct access to files.

http://www.cyberciti.biz/faq/apache-mod_rewrite-hot-linking-images-leeching-howto/

Answer 3

It depends on how it gets built. You can always make sure your referrer is the page that you expect it to be hosted from and lock down requests there.

If you have some notion of authentication, you could bury the image under some type of php/ruby script or asp.net http handler that requests the image from the server or database (in a place that is not publicly viewable but is reachable by your server-side code) and that handler could check for your authentication status before returning it.

Answer 4

Note that "security" products such as Norton Internet Security and Norton Personal Firewall prevent the HTTP Referer: (TBL's spelling mistake, not mine) header being sent by default. As these products are widely used, referrer blocking will break things for an awful lot of people.

FWIW, if I was keen to get your image other than by viewing your page (although I can't imagine why I should be) I would just grab the bits as they came over the network when I viewed your page, using something like Charles or Fiddler. It's completely impossible to make content available over the web but prevent people from making a copy.

Answer 5

Frankly, I re-worked my solution so I didn't really have to worry bout it ... know that's a cop out, as it doesn't REALLY answer the question, but there it is. My concern that users would be able to defraud the "game" I was creating if they could figure out the sequence that was being used to name the images. Quick and dirty solution .... don't make image file names sequential / predictable.