httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Andersson" <>
Subject Re: [users@httpd] preventing image theft
Date Fri, 04 Jun 2004 11:29:53 GMT
Eugene Lee wrote:
> : Only deny when the request includes a Referer header, and when it is
> : wrong. Allow otherwise. That won't stop all, but most, which should be
> : your goal.
> Rats.  I was hoping for a better solution that dealt with missing
> Referer headers.  I guess the appropriate solution would be to write
> a CGI wrapper for the images, which will take some work.  Oh well,
> thanks for confirming what I had known and feared.  :-)

Well, there is not much more that you can do with a CGI wrapper. If the
request comes in without a Referer header, there is no telling if it
resulted from a previous visit on your site or another.

There are some things you could do, like:
    1) setting a cookie when someone visits a page, and then check this
       when serving the images. However, people/browsers not using cookie
       won't see any images.
    2) check the IP and look back in the log to see if the client has
       visited a "local" page.

Back to the Referer. If the request has one, there is one of two situations:
    1) It is a "local" URI (but might be faked)
    2) It is an "external" URI (might also be faked)

If the request doesn't have a Referer header, it could be becuase:
    1) The image was requested directly (not embeded in a HTML doc)
    2) The request is "legal", but the user-agent is configured not to send
       the Referer header.
    3) The request is "illegal", but the user-agent is configured not to
       the Referer header.

As we see, there is no solid way to solve this. It is the nature of the

If you are concerned about people "stealing" images, take them off the web!
If you are only concerned about bandwidth, deny image requests that includes
an "illegal" Referer header, and you will get rid off ~95% of the "thefts".

Robert Andersson

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message