1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 1:21 am May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Prevent direct access to images

         

jusaf

10:31 pm on Jan 17, 2011 (gmt 0)

10+ Year Member



Hi all,

i know there's tons of posts about this but i've tried most of them and somehow i cant get it to work properly so i'm asking the experts some help :)

I have this image folder, inside it i have a few subfolders and inside those subfolders some pictures that i want to be only accessible from within my website. Meaning that using the direct link www.example.com/images/abc/nwoienfwewf.jpg should return a forbidden page, while if requested by the site itself should show fine.

inside the images folder i've added a .htaccess file with this: 


Order deny,allow
RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?my-website.com/.*$ [NC]
RewriteRule \.(gif|jpg|png|mp3|mpg|avi|mov|flv)$ - [F]


but this prevents the images from showing up on the website and with direct access i get "Internal Server Error. The server encountered an internal error or misconfiguration and was unable to complete your request."

now i've tried a few variations of what i could find and even tried a generator but no success.. The best i managed was to get forbidden on direct access but files we also not loading inside the website.
note that in the example i've used "my-website" just to show that my domain contains a dash "-" (not sure if that has any influence there).

Anyway i hope this all makes a bit more sense for you that it does for me :)
thanks!

g1smd

11:39 pm on Jan 17, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Using the referrer data is the most unreliable way of doing this. In order for you to see results you must flush your browser cache before each server request, otherwise all you will see is the previously cached response.

The . of .com should be escaped as \.com here.


Is there any other code with that "Order allow,deny" line?

There should be an "allow from" and a "deny from" statement too, or else that line should be deleted.

jusaf

10:51 am on Jan 18, 2011 (gmt 0)

10+ Year Member



Thanks for the reply!

so i've removed the "order allow,deny" line and escaped the .com, so the content of the .htaccess file is now: 

RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?my-website\.com/.*$ [NC]
RewriteRule \.(gif|jpg|png|mp3|mpg|avi|mov|flv)$ - [F]


but even after clearing the cache of the various browsers where i am trying this i still get the server error. What else am i doing wrong?

u say this is the least secure way to do it, so what approach should i use instead?

thanks!

g1smd

11:10 am on Jan 18, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The code is easily circumvented simply by presenting a blank referrer with the request.

Using cookies is much more foolproof, but still not infallible.

jdMorgan

11:07 pm on Jan 19, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



> ... i still get the server error.

What is your server telling you the problem is? -- What's in your server *error* log file?

Possibly missing 
 Options +FollowSymLinks -MultiViews

at the top.

Jim

jusaf

11:41 am on Jan 21, 2011 (gmt 0)

10+ Year Member



Thank you all for the help, i ended up following g1smd's advice, so i implemented a custom solution where i serve the photos from a callback that first checks if the user is logged in and then serves the image directly to the browser, then in the images folder i've added a .htaccess with simply 
deny from all
and 'voila', problem solved :)
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 1:21 am May 2, 2026