A friend writes:
I’m finding that some number of people are hosting my Janet Jackson
“movie” by simply linking it in from their sites, meaning *I* get to
pay for the bandwidth. Is there some way to prevent this?
Here’s what I’d do:
- Change your pages to refer to something called, say,
jjackson-movie.cgi
- then have a script called that that essentially does this:
echo "Content-type: image/swf";
if [ $HTTP_REFERER != $yourdomain ] then
stream bogus-film-for-other-folk
else
stream real-janet-jackson-movie
endif
Well, it’s slightly more complicated than that, but not by much. My only concern would be that some % of browsers don’t send referrer information so for them, even if they viewed it on your page, it’d break.
Another strategy would be to have the page that includes the movie dynamically generated to include a timestamp, then this script checks to see if the timestamp is less than, say, two hours old. That’d involve two scripts instead of one, though: one for the page that contained the link, and one for the actual delivery of the movie itself.
If your server allows it, a better solution here is to use .htaccess. Being a lazy linux admin, it’s much easier to manage a centralized file than to put the code in multiple files where hotlinking needs to be prevented (the server does less work here to). Since this still relies on $HTTP_REFERER, you should keep an eye out in your access_log, then just block the baddies completely using $REMOTE_ADDR or $REMOTE_HOST
#—–Prevent hot linking of images and other file types———-
#requires mod_rewrite
#The next 2 lines may also be required depending on your apache setup
#Options +FollowSymlinks
#RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com/.*$ [NC]
RewriteRule \.(jpg|gif|js|css|swf)$ – [F]
#-Or serve up something else to the hot linkers
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com/.*$ [NC]
RewriteRule \.(jpg|gif|js|css|swf)$ busted.html [R,L]
That’s a logical and sensible solution, Will. Hmmm…. now why didn’t I think of that?? 🙂
To ensure those without referring information, a null or empty $HTTP_REFERER could go ahead and stream the real thing. The remote page will get the file for some browsers, but will be broke for others.