[nycbug-talk] direct file access denied via htaccess

Isaac Levy ike
Wed Jun 15 19:30:35 EDT 2005

Hi Steve,

On Jun 15, 2005, at 6:02 PM, Marc Spitzer wrote:

> On 6/15/05, Steve Rieger <steve.rieger at tbwachiat.com> wrote:
>> hi all am trying (dont even know if this is possible) to prevent 
>> anybody
>> and all from accessing anhy files via http directly

Thing is- I'm assuming for the rest of my response to this post that 
you *do* want the images to load into web pages visa http, but you 
*don't* want people to just grab them individually.

In a big-picture nutshell, I'm sad to report you cannot both provide 
access and deny access to the image files- the usual suite of 
obfuscation tricks are trivially bypassed by anyone who wants the 
images and has 20 minutes to spare figuring it out.

More good stuff on 'hotlinking', which is quite a realistic way prevent 
loading of the images from web-pages on another server, using nifty 
'referer' stuff:


> hmm.
> one way to raise the bar is to generate the links with javascript on
> the client, you can not copy the link with out.  Your real problem is
> that things are cached on the client so to lift your stuff I do the
> following:
> 1: clear cache on firebird
> 2: hit your website
> 3: go through the cache, digital dumpster diving.
> marc
> ps there may be some neat firebird modules that make this even easier.
> marc

Marc's right, and I'd add big-picture, that if you allow *any* sort of 
access to the image files, you cannot stop people from *ever* getting 
at the source .jpg files.  I'd even throw in that I know some flash 
folks who keep all sorts of dirty little tools for extracting images 
from even flash files and movie clips, in the browser cache.

>> i know the proper syntax for preventing hotlinking
>> # cat .htaccess
>> RewriteEngine on
>> RewriteCond %{HTTP_REFERER} .
>> #RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.(com?net) [NC]
>> RewriteRule \.(gif|jpg|bmp|mid|css)$ - [F,NC]
>> but say that you know that i have a jpg at
>> http://www.mydomain.com/stever/junk/001.jpg
>> i need to prevent anybody from pasting that into their browser and
>> getting that image. the above htaccess file aint working, how can i 
>> make
>> this happen.

Now, aside from my above naysaying, one obfuscation method *could* get 
you what you need if your experiencing a problem- but it suffers from 
the cache-splunking problem as well here-

You could use the referrer tag, ala the anti-'hotlinking' config stuff 
above, and only serve images based on the calling page as the referrer. 
  It still can be bypassed with the image cache problem, but it would 
make the server exhibit the behaviour your wanting.

Regardless, DRM is a joke...


>> thanx

More information about the talk mailing list