What is the best/simplest way to prevent people hotlinking to images from my hosted ASP.NET website? I don't need to prevent all images/resources from hotlinking, I just want to prevent hotlinking to specific images/resources on a site. FYI. It's hostesd on GoDaddy.com so IIS tricks probably wont work.
+1
A:
You could refuse any requests for images that don't have your site in the HTTP referer header field. That's the theory. In order to control requests in your application, you'd have to stream all images through an ASP page (as opposed to linking to them directly).
cdonner
2009-03-15 21:44:23
+3
A:
Streaming the images through an ASPX page is a good solution. Though Referrer could be hacked.
What you could do is use a unique salt (keyword) and generate against MD5 (SHA-1 or SHA-2) if you are really concerned with security. Run the current epoch time as well against this as well, this puts an expiry on images as well. Store this "keycode" in the cookies. Whenever images are served you basically pass this via the querystring. The validation happens on the ASPX on the other end. You could even regenerate a new "keycode" between each request using either an HTTPRequestModule or the Global.asax page.
There will be overhead, but it will prevent anyone from hotlinking.
Danny G
2009-03-15 22:17:34
+1 +Answer. There's a lot there. I'll probably go for the expiring hash and custom extension handler (through the 404 mechanism)
Dead account
2009-03-16 19:49:38
+2
A:
One thing I've seen that I thought was clever is to add an extra portion to the bottom of the image, and then use a css sprite technique to cut it off when shown on your site. A naive hotlink will result in displaying your extra portion. This will mean the image is skewed, so it doesn't look right on the other site, and you can use the extra portion to show your own url or whatever else you want.
Joel Coehoorn
2009-03-15 23:55:23