What is the best/simplest way to prevent people hotlinking to images from my hosted ASP.NET website? I don't need to prevent all images/resources from hotlinking, I just want to prevent hotlinking to specific images/resources on a site. FYI. It's hostesd on GoDaddy.com so IIS tricks probably wont work.
How to prevent image hotlink from your ASP.NET site?
Asked Answered
Have a look here. mvolo.com/blogs/serverside/archive/2006/11/10/… –
Cenis
Streaming the images through an ASPX page is a good solution. Though Referrer could be hacked.
What you could do is use a unique salt (keyword) and generate against MD5 (SHA-1 or SHA-2) if you are really concerned with security. Run the current epoch time as well against this as well, this puts an expiry on images as well. Store this "keycode" in the cookies. Whenever images are served you basically pass this via the querystring. The validation happens on the ASPX on the other end. You could even regenerate a new "keycode" between each request using either an HTTPRequestModule or the Global.asax page.
There will be overhead, but it will prevent anyone from hotlinking.
+1 +Answer. There's a lot there. I'll probably go for the expiring hash and custom extension handler (through the 404 mechanism) –
Cloudcapped
Simplest way to do this is with a UrlRewrite in IIS 7.0.
https://help.maximumasp.com/KB/a738/using-url-rewrite-to-prevent-image-hotlinking.aspx
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="PreventImageHotlinking" enabled="true" stopProcessing="true">
<match url=".*\.(gif|jpg|png)$" />
<conditions>
<add input="{HTTP_REFERER}" negate="true" pattern="^$" />
<add input="{HTTP_REFERER}" negate="true" pattern="http://www.YourDomain.com/.*" />
</conditions>
<action type="Rewrite" url="/images/hotlinking.jpg" />
</rule>
</rules>
</rewrite>
</system.webServer>
Love it! I use it for images/js/css files and anything else I don't want others to hotlink! –
Mixer
you must add to exclusion also facebook for sharing and Google for image indexing if you want. –
Trauner
You could refuse any requests for images that don't have your site in the HTTP referer header field. That's the theory. In order to control requests in your application, you'd have to stream all images through an ASP page (as opposed to linking to them directly).
Streaming the images through an ASPX page is a good solution. Though Referrer could be hacked.
What you could do is use a unique salt (keyword) and generate against MD5 (SHA-1 or SHA-2) if you are really concerned with security. Run the current epoch time as well against this as well, this puts an expiry on images as well. Store this "keycode" in the cookies. Whenever images are served you basically pass this via the querystring. The validation happens on the ASPX on the other end. You could even regenerate a new "keycode" between each request using either an HTTPRequestModule or the Global.asax page.
There will be overhead, but it will prevent anyone from hotlinking.
+1 +Answer. There's a lot there. I'll probably go for the expiring hash and custom extension handler (through the 404 mechanism) –
Cloudcapped
One thing I've seen that I thought was clever is to add an extra portion to the bottom of the image, and then use a css sprite technique to cut it off when shown on your site. A naive hotlink will result in displaying your extra portion. This will mean the image is skewed, so it doesn't look right on the other site, and you can use the extra portion to show your own url or whatever else you want.
© 2022 - 2024 — McMap. All rights reserved.