ansaurus

Question

is if ($referer != "mysite.com") not a good way to prevent other sites to hard link my images or swf?

Answer 1

+4 A:

It can be reliable, but some firewalls strip it out so you should do

// psuedo code
if ($referer does not contain "example.com" and $referer is set and $referer is not equal to "") then do not serve image

Henri Watson 2009-05-27 22:56:34

Answer 2

+1 A:

It's not perfect, but it's probably better than nothing if it can prevent 80% of the audience, who wouldn't know how to hack referer, from grabbing your image. You should also contain your image folder under a randomly named folders and periodically rename them to prevent direct linking.

eed3si9n 2009-05-27 22:57:58

Answer 3

+4 A:

or even better if you have access to using a .htaccess file you could do the following:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css|cur|png|jpeg)$ - [F]

or if you are wanting them to see a different image then do the following:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.example.com/angryman.gif [R,L]

Marc Towler 2009-05-27 23:01:17

the RewriteCond and RewriteRule doc looks complicated... is it saying if REFERER is empty or contains example.com, then change *.gif or *.jpg to angryman.gif?

動靜能量 2009-05-28 07:29:13

@Jian Lin, the second alternative uses the ! (not) sign. So it is saying (via regex) if HTTP_REFERER is not empty and it's not http://example.com or http://www.example.com, to show angryman.gif.

Fran Corpier 2009-05-28 11:57:35

(sorry about those links-- I forgot to escape the forward slashes after http. I meant http:\/\/example.com or http:\/\/www.example.com. Hope these show up. :)

Fran Corpier 2009-05-28 12:00:01

Answer 4

A:

I would upgrade that figure to 99.something%. Almost all people won't have proxies that interfere with referrer strings.

But yes, it's trivial to set the referrer with wget (et al).

Oli 2009-05-27 23:01:47

Answer 5

+1 A:

Just as another go, I think it's vastly more fun to casually allow hotlinking-referrers until you get some joker pushing thousands of requests a day (without any real link-throughs). What I've done then is redirect the image to something completely different.

Think Goatse. Only nastier.

Oli 2009-05-27 23:04:13

Answer 6

A:

Refer header is just text, so it can be forged in the http request. As stated in an earlier comment, your could should take care of the vast majority of folks.

nikudesu 2009-05-27 23:05:13

Answer 7

A:

similar to Henri Watson, i was thinking of

# pseudo code
if($referer not empty and $referer not contain "mywebsite.com") then don't serve it.

double checking the 3 cases:
referer empty ==> served
referer not empty and contains "mywebsite.com" ==> served
referer not empty and not contian "mywebsite.com" ==> not served

then the person who is doing the hard link will most likely sees that it doesn't work to link that way and change it right away.

動靜能量 2009-05-27 23:47:15

ansaurus

tags:

views:

answers:

is if ($referer != "mysite.com") not a good way to prevent other sites to hard link my images or swf?

related questions