File linking: How to prevent?

vanity | 11/20/02 | Yehuda

[Yehuda]

How hard is it for a site administrator to prevent other sites from linking to a real audio file on the admin's server?

I know that some servers don't allow US to link files for display here.

Appreciate any feedback; there is a site admin I am in discussion with on this subject.

[sigSEGV]

There is an HTTP header that the browser passes called the Referer (yes, spelled wrong). Based on that value passed, the page can either allow or reject the request. Implementation would be specific to what you're doing it in (PHP, ASP, Perl, etc).

[general_re]

How hard is it for a site administrator to prevent other sites from linking to a real audio file on the admin's server?

Not hard. Configure your webserver to reject requests for the file that don't have a local referrer or that have a null referrer. Easy as pie ;)

[Lorenb420]

When you click on a link one of the things you send to the server is a variable called 'referer'. It contains the URL of the site that reffered you to whatever you are trying to view.

It's pretty trivial to block based on that. Here is a Perl module, that can do it Apache::RefererBlock.

That is just off the top of my head, I'm sure that are other ways too.

Another way to do it, would be to use an .htaccess file:

setenvifnocase Referer "^http://www.sitetobeblocked.org" spam_ref=1
<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=spam_ref
</FilesMatch>

For IIS, you can use something like Leech Blocker.

I'm not sure what else is available for IIS, I mainly use Apache myself.

[AppyPappy]

You deny file access to IUSER in NTFS

[Lorenb420]

You deny file access to IUSER in NTFS

That will stop everyone from viewing it, even on your own site. If you want to stop say just 'freerepublic' users and allow everyone else, then that approach won't work.

[AppyPappy]

That's what I thought they wanted. I guess you could just firewall the IP out.

[Gorzaloon]

Here is another resource:

FROM: http://www.thesitewizard.com/archive/bandwidththeft.shtml

Excerpted:

Basically, you will need to create an ASCII text file named .htaccess (with the preceding period and in lowercase) in the directory where you placed your images. The file should have the following lines:

RewriteEngine on

RewriteBase /image-directory

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com/.*$ [NC]

RewriteRule ^.*\.gif$ - [F]

If your images are placed in a directory that is accessed by the URL "http://www.yourdomain.com/pictures/", then you should change the line beginning with "RewriteBase" to the following:

RewriteBase /pictures

You must change "www.yourdomain.com" to your actual URL. For example, if you are hosted on a free web server with a URL like "http://yourisp.com/~you/" you should change that line to:

RewriteCond %{HTTP_REFERER} !^http://yourisp.com/~you/.*$ [NC]

If your website can be accessed with a "yourdomain.com" form in addition to the "www.yourdomain.com" form, simply add another RewriteCond to the list. That is, your .htaccess file would have the following additional line before your "RewriteRule" line:

RewriteCond %{HTTP_REFERER} !^http://yourdomain.com/.*$ [NC]

This file will "protect" all your images that end with a ".gif" extension. If you want to protect your ".jpg" or ".png" files as well, duplicate all the above lines (except the "RewriteEngine on" line) and modify the last line to have ".jpg" (or ".png") instead of ".gif".

Remember: the file should be an ASCII text file, *not* a Microsoft Word file or a Wordpad file or the like. It should also be named ".htaccess" (no extension). When you upload it to your web server, you should make sure that your FTP program uploads it in Text mode (not Binary or using the Automatic detection feature).

[Yehuda]

Thank you all - passing this info on!