In post <e5*************************@posting.google.com>
George said...
So I have a file, which is a zip file I want to let people download.
But I don't want to let other sites link to my zip file -- I only want
people to be able to download the file by going through my site.
not possible but you can fool some people some of the time.
(assumes apache with appropriate setup) stick one of the below in a
..htaccess file[1] for the directory you want the directives to apply
to. child directories inherit the directives so if you stick it in
your root the directives will apply to all of your site.
#returns a HTTP 403 forbidden error
SetEnvIfNoCase Referer "^http://(www\.)?example.com" local_ref=1
<FilesMatch "\.(zip)">
# or "\.(zip|jpg|png|gif)" for images as well.
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
#returns a HTTP 403 forbidden error
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC]
RewriteRule \.(zip)$ - [F]
#returns a substitute zip file (evil.zip) instead of the zip requested
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC]
RewriteRule \.(zip)$
http://www.example.com/evil.zip [R,L]
all three check to see what the referer is and if its not your domain
returns the 403 (or substitute zip). the referer is easily faked or
not sent at all.
[1] a .htaccess file is a plain text file named as shown. if you
create the file with notepad save the file with quotes to prevent
notepad from adding a .txt extension i.e: ".htaccess"
a hash '#' indicates a comment line. remove/change/add them if you
wish.
--
29/September/2003 12:28:41 pm
