Prevent hotlinking

max · April 12, 2009, 5:56pm

Hello all,

I tried to use the following code to prevent hotlinking. But it blockes
myself as well, anyone got any idea?

location ~* (.jpg|.png|.css)$ {
valid_referers blocked domain.com *.domain.com;
if ($invalid_referer) {
return 404;
}
}

Thanks.

Max

max · April 12, 2009, 6:51pm

Try

“valid_referers none blocked *.etc.com etc”

perhaps you’re not sending a referrer header. Some “internet security
suites” do that for “privacy” and I hate them. or malfunctioning
browsers or some browsers include that option now.

that’s the only thing I see wrong there.

max · April 12, 2009, 7:49pm

Hello,

Thanks. I tried that. But it’s still not working. I am using wordpress.
Don’t know what referrer header wordpress send.

Max

max · April 12, 2009, 8:42pm

Your browser will almost always send referrers. As mentioned,
sometimes a security suite will block referrers. Sometimes flash won’t
send referrers when it makes requests (sometimes it will). You just
want to also allow blank referrers in addition to the “correct”
referrers.

max · April 12, 2009, 8:41pm

Its not Wordpress sending the header it’s your browser sending the
header (unless this is wordpress fetching images using some plugin and
then youll have to modify the script to send a referer header (I
believe it is spelled wrong, technically)

max · April 12, 2009, 9:08pm

Flash players may or may not send referrers. It seems to vary based on
the web browser used. Documentation for flash would lead me to believe
that it never sends referrers, but practical experience shows that
this is not true, it does sometimes send headers, and sometimes not,
in a mostly unpredictable way.

max · April 12, 2009, 9:12pm

Possibly could be based on the player. I’m sure you can code in the
headers.

max · April 12, 2009, 8:54pm

And video embedding is infamous for not sending info. At least windows
media player type embedding. Not sure if flash players are better.

max · April 12, 2009, 10:15pm

Flash has surprisingly little flexibility with determining what
headers are sent to the server when you request files. It does what it
does and if you don’t like it, tough. That’s the conclusion I came to
in researching to design a couple flash applications, as well as to
lock down video files for a project I was working on.

Sometimes this is for security purposes. You aren’t supposed to be
able to request files from a different domain than the SWF was sourced
from (unless a crossdomain.xml file on that domain specifically allows
it). I’ve noticed that although this is supposed to be a hard and fast
rule, some video players are able to source their video files (.flv)
from sites other than where the SWF was sourced, even if
crossdomain.xml doesn’t allow it. This is probably a bug or the result
of some arcane Flash behaviour, rather than something the designer of
the SWF can decide upon.

Either way, you need to be prepared, in flash, for the likelihood that
it will either send the proper referrers, or no referrers whatsoever,
and you really have no control over which will be the case.