Avoid hotlinking to files from outside of application

Tips submitted by PHPMaker users
Post Reply
mpol_ch
User
Posts: 877
Location: Switzerland

Avoid hotlinking to files from outside of application

Post by mpol_ch »

With this code you can avoide the hotlinking to the files under certain folder. I have an application that is located under xxxx://mpol.ch/demo and the users are uploading their documents into folder "invoices".
After this implementation the documents can be viewed only through links from the application itself which are located under "xxxx://mpol.ch/demo/". All other requests will generate "Forbidden" message.

Step 1: Copy the code to an editor
Step 2: Adjust the Referer and origin for your application
Step 3: Save the code as file htaccess.txt
Step 4: Uplaod the file htaccess.txt into folder that you want to protect in my case into "xxxx://mpol.ch/demo/invoices"
Step 5: Rename the file htaccess.txt from "htaccess.txt" to ".htaccess"
Step 6: Carry out your tests

Start here

SetEnvIfNoCase Referer "xxxx://mpol.ch/demo/" internal
SetEnvIfNoCase origin "xxxx://mpol.ch/demo/" internal
<Files *>
order Deny,Allow
Deny from all
Allow from env=internal
</Files>

End here

mpol_ch


alex
User
Posts: 266

Post by alex »

good thing, but didn't work for me - forbidden...


philmills
User
Posts: 535

Post by philmills »

Old thread, but I got it working with .htaccess. This disables hotlinking for ALL file types

Create a file named .htaccess in your upload folder and copy/paste this into it:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} https?://(www\.)?mydomain\.com/uploads.$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^$
RewriteRule \.
$ - [NC,F,L]
</IfModule>

obviously you'll need to edit the part www\.)?mydomain\.com to suit your site's aadress.


Post Reply