httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eugene Lee <>
Subject Re: [users@httpd] preventing image theft
Date Fri, 04 Jun 2004 12:04:46 GMT
On Fri, Jun 04, 2004 at 01:29:53PM +0200, Robert Andersson wrote:
: Eugene Lee wrote:
: > :
: > : Only deny when the request includes a Referer header, and when it is
: > : wrong. Allow otherwise. That won't stop all, but most, which should be
: > : your goal.
: >
: > Rats.  I was hoping for a better solution that dealt with missing
: > Referer headers.  I guess the appropriate solution would be to write
: > a CGI wrapper for the images, which will take some work.  Oh well,
: > thanks for confirming what I had known and feared.  :-)
: Well, there is not much more that you can do with a CGI wrapper. If
: the request comes in without a Referer header, there is no telling if
: it resulted from a previous visit on your site or another.
: There are some things you could do, like:
:     1) setting a cookie when someone visits a page, and then check this
:        cookie when serving the images. However, people/browsers not
:        using cookie won't see any images.

This is for a members-only site that has a pictures upload section that
I want to restrict to members-only as well.  As you suspected, the CGI
wrapper will likely involve inspecting cookie information from the site.
There's a chance that the cookie information is fake, but doing so will
raise the bar so high that it should stop all but the most persistent,
clued bandwidth thieves.

: Back to the Referer. If the request has one, there is one of two situations:
:     1) It is a "local" URI (but might be faked)
:     2) It is an "external" URI (might also be faked)
: If the request doesn't have a Referer header, it could be becuase:
:     1) The image was requested directly (not embeded in a HTML doc)
:     2) The request is "legal", but the user-agent is configured not to
:        send the Referer header.
:     3) The request is "illegal", but the user-agent is configured not to
:        send the Referer header.
: As we see, there is no solid way to solve this. It is the nature of
: the Internet.
: If you are concerned about people "stealing" images, take them off the web!
: If you are only concerned about bandwidth, deny image requests that includes
: an "illegal" Referer header, and you will get rid off ~95% of the "thefts".

95% is a good start.  And while the CGI wrapper solution may or may not
catch the other 5%, the resources required to develop the solution may
be exponentially proportional to the goal of catching that final 5%.
In other words, it may not be worth it.  :-)  Thanks again.

Eugene Lee

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message