Hotlink Prevention in Ruby?


#1

Hi,

i am desperately seeking for a solution or at least a hint, for
preventing non-authorized users of my social network app to access
images, uploaded from registered users, without authentication.

I already found the HTTP-REFERRER approach - but as commonly known,
this wont work in situations, where the referrer information is
blank…

So it’s not only a bandwidth-stealing thing, but also a privacy issue,
since the users upload images and expect, that no one excepting the
own network of friends can see them.

I can imagine to use mod_rewrite to call a ruby controller for each
website resource and to then check, if the request has at least a
session from my app. But wont that kill the performance of the server,
when each acces is beeing processe by a ruby script instead of getting
it as a file ?

Any help is appreciated !

Cheers

martin


#2

I think the safest way is to store images outside your public
directory for storing images. Then create (controller and) action to
retrive images using send_data. For example:

@person = Person.find(@params[‘id’])
File.open(@person.picture, “rb”) do |image|
send_data image, :filename => @person.picture, :type => “image/jpeg”
end

You could add before filter to check if user is authorized. Also when
uploading file you should store it’s content type somewhere in
database.


#3

Martin -

this wont work in situations, where the referrer information is
server,
when each acces is beeing processe by a ruby script instead of
getting
it as a file ?

Any help is appreciated !

Cheers

martin

I wouldn’t wait til rails had your request - static (image,etc) file
serving won’t scale.

You can likely find a better (ie. more performant) option in your
proxy - apache, nginx. We serve all static files using nginx - you can
likely wire up some checking there.

Jodi


#4

Thank you both for your feedback!

In the meantime i developed the idea to use a token to establish a
trust between a mod_anything running in the apache context and the
rails app.

The idea is to create a session token by a simple web service (trust
service) during first page request and to augment all links to images
within my app with this token.
An apache mod could then check each request for that token and verify
it against the trust service.
If the token is not valid or not given, the request will be answered
with 403

But i will now check the send_data and nginx approaches first.
Cause even if my approach will help me to prevent anonymous users from
reading images outside the app, it will not prevent authenticated
users to see images from users which they are not connected to (like
any other social network, images and stories must not be seen outside
the users network for friends)

martin