Apache & IIS : Preventing Bandwidth Theft of Web Content
Published May 3, 2004, 2:13 pm by Neerav Bhatt
Bandwidth theft can be a problem for webmasters of sites that contain content which other people will try and link to in their own sites eg: photo galleries or file downloads.
This is because someone unscrupulous can use your proprietary content in their own sites, for example by embedding your images in their HTML code like so: img src="" which leads visitors to their site to believe it is the unscrupulous persons content and because the image is downloaded from your webserver you will be charged for the cost of sending it to the users browser.
Apache Webserver
If your web server software is Apache than putting the code below in a .htaccess file in the directory you want to protect will prevent bandwidth theft by only allowing requests for protected files from your own web server. (Replace www.sitename.com with your own domain name).
SetEnvIfNoCase Referer "^http://www.sitename.com/" local=1
SetEnvIfNoCase Referer "^http://www.sitename.com$" local=1
SetEnvIfNoCase Referer "^$" local=1
< Directory ".(gif|png|jpg)$" >
Order Allow,Deny
Allow from env=local
< /Directory >
NOTE: DONT CHANGE THE SPELLING OF REFERER, THAT IS HOW APACHE SPELLS IT.
Code Explanation
-
SetEnvIfNoCase Referer "^http://www.sitename.com/" local=1
SetEnvIfNoCase Referer "^http://www.sitename.com$" local=1
SetEnvIfNoCase Referer "^$" local=1
These 3 lines will allow requests from http://www.sitename.com/, any file on the site eg: http://www.sitename.com/index.htm, and a blank referrer respectively.
-
< Directory ".(gif|png|jpg)$" >
This will match any requests for files or directories with any of .gif .png .jpg extensions (common image extensions).
-
Order Allow,Deny
Allow from env=local
< /Directory >
This will allow requests from the locations outlined at 1. and deny links to that content from any other web server.
For example if you are storing photos for a photo gallery at
www.sitename.com/photos/, than upload the .htaccess file to the photos directory of www.sitename.com
Points To Consider
- With some effort requests can be forged to make them appear to come from your own server, however bandwidth thieves will generally not make the effort, preferring to steal from someone whose content isnt protected.
- People whose browsers/proxies set a false referer in their requests eg: Field blocked by Outpost firewall (http://www.agnitum.com will be blocked from viewing protected content, so it is recommended that the .htaccess file containing the anti-bandwidth theft code NOT be put in the root directory of your domain,
- Directory is used instead of the FilesMatch container because it is case insensitive and FilesMatch isnt, so Directory would block attempts by other sites to link to test.JPG where FilesMatch would allow them
- This method can be used to stop bandwidth theft of other files eg: Executables .exe or PDF files .pdf by modifying the file extensions matched by
< Directory ".(gif|png|jpg)$" >
Microsoft IIS Webserver
If your web server software is IIS it seems that the only way to stop bandwidth on IIS servers is via ISAPI filters1.
One such filter is ColdLink Bandwidth Protection Software2 which works by obfuscating (hiding) the real location of a protected file by rewriting the link every 5 minutes. For example if /wall/one.jpg was protected and the obfuscated link at the moment is /pipe/cb786eeac97983ffcdf4dcfc062349e2/one.jpg in 5 minutes the link will be different eg: /pipe/cb786eeac97983ffcdf4dcfc062349e2/. This means the address of protected files on your site that a bandwidth thief links to has a lifetime of just 5 minutes. After that, any hotlink is dead.
This is an interesting technique (note the Bhatt.id.au server is Apache so we haven't had a chance to test Coldlink). A benefit of this method is that it doesnt rely on the HTTP_REFERER (which can be faked), but there are 2 disadvantages, namely that it isnt free and search engines may not like the constantly changing links.
Contact Us
If you found this article useful contact us to see how our
consulting services can help you with "Apache & IIS : Preventing Bandwidth Theft of Web Content".
Further Reading