tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hassan Schroeder <>
Subject Re: Prevent Hot Linking
Date Sun, 19 Apr 2009 15:11:55 GMT
On Sun, Apr 19, 2009 at 7:37 AM, André Warnier <> wrote:

> But basing the acceptance or rejection on a HTTP request header sent by the
> browser is not absolutely secure, in the sense that this can easily be faked
> using any HTTP client agent such as wget, curl, lwp-request etc..

True. But it seems relatively trivial to write a filter that would add the
originating IP of each request for the base resource, e.g. 'foo.html',
to an in-memory list.

Then requests for the targeted resource, e.g. 'bar.jpg', can be easily
checked against that list and rejected if the request IP isn't present.

Hassan Schroeder ------------------------

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message