tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hassan Schroeder <hassan.schroe...@gmail.com>
Subject Re: Prevent Hot Linking
Date Sun, 19 Apr 2009 15:11:55 GMT
On Sun, Apr 19, 2009 at 7:37 AM, André Warnier <aw@ice-sa.com> wrote:

> But basing the acceptance or rejection on a HTTP request header sent by the
> browser is not absolutely secure, in the sense that this can easily be faked
> using any HTTP client agent such as wget, curl, lwp-request etc..

True. But it seems relatively trivial to write a filter that would add the
originating IP of each request for the base resource, e.g. 'foo.html',
to an in-memory list.

Then requests for the targeted resource, e.g. 'bar.jpg', can be easily
checked against that list and rejected if the request IP isn't present.

FWIW,
-- 
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message