Redirected from here, I need to prevent access of PDF (or any other) file types, when someone access it using direct URL.
The Problem
Say you had a PDF file that you’d like visitors on your own site to download.
However, if someone were to copy this link and call it from a browser window directly, or if they were to post the link to you PDF on another website then the document shall not be accessible. By default it is.
I am successful in hiding the pdf file path in address bar and the url formed is http://localhost/myproject/web/viewer.php?id=11&name=sample.pdf, but in console one can see the complete path like http://localhost/myproject/document/11/sample.pdf.
This code redirects successfully on second time page reload, but not when I select Open in new tab from console.
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(pdf) [NC]
RewriteRule .*\.(pdf)$ http://google.com/ [NC]
Used below code in .htaccess to prevent access
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteRule \.(pdf)$ - [F]
Somehow it does not work accurately. It shows file forbidden message only if I hit CTRL+SHIFT+R key otherwise using the file URL I can still access it.
I want to prevent the pdf file showing as http://localhost/myproject/document/11/sample.pdf directly in the url bar
If you have access to a database, maybe you could store the file/s in a blob field. This way you can easily write code to protect the file how you like.
You can store PDF files not in webroot folder and return it content use PHP. For example for user URL will be like:
http://localhost/myproject/document.php?hash=some_hash`
and on file document.php you will get document hash from $_GET parametr use file_get_contents function. Also in this case you can allow access only once
I hope it will help
Related
I have a blog with images. I do not want that the images are directly accessible through the URL (and also not for Googlebot and other bots)... for example... mysite.com/assets/images/img1... etc. So I thought to password protect the images directory with .htaccess. That worked, only front-end all my images became links, and I had to provide my credentials to make them show. How can I make my images show yet NOT make them directly accessible when typing the corresponding URL and the images URLs (or better yet the images directory) NOT accesible for bots to crawl/index?
Don't go with password protection. The right way to do it would be to filter the requests based on the referer URL. If the request originates from your own site then it's ok. Otherwise the request is trying to get an image directly.
I've found this site with detailed instructions on how to do that: http://altlab.com/htaccess_tutorial.html
Taken from the mentioned site:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://url_to_default_image.gif [L]
Note that you would have to enable mod_rewrite in your Apache server.
Btw, just asking. Why don't just let people get the image directly if they want to?
I'm trying to build a simple website which is going to let users upload files, and privately share them with other designated users. The problem is: I don't want anyone to be able to type in the url for a file to be able to get to it (then anyone could see it).
I decided to try using .htaccess to prevent direct url access, however, I cannot figure out how to access the file myself. All of the uploaded files are going to go into a subfolder called "restricted".
My ".htaccess" file is:
RewriteEngine on
RewriteCond {%QUERY_STRING} !^.*key=SECRET.*$ [NC]
RewriteRule ^restricted/(.*)$ showfile.php?file=$1
My "showfile.php" file:
<?php
echo file_get_contents('[...]/restricted/'.$_GET['file'].'?key=SECRET');
?>
However, when I open "restricted/test.txt" or some other file in the restricted folder, it successfully redirects to "showfile.php?file=test.txt", however, I get a php error:
Warning: file_get_contents([...]/restricted/test.txt?key=SECRET)
[function.file-get-contents]: failed to open stream: No such file or
directory in [...]/showfile.php on line 10
It seems like even though the query string contains "key=SECRET", it is still trying to redirect.
What I want: I want it to redirect on direct URL access, but that I can access it through the php page it's redirected to.
If you want to access the file as an HTTP resource instead of direct disk access (like in your question), you can do the following:
Code in .htaccess (placed the "nonpublic_test" folder):
RewriteEngine on
RewriteCond %{REQUEST_URI} ^.*/restricted/.*$ [NC]
RewriteCond %{QUERY_STRING} !^.*key=SECRET.*$ [NC]
RewriteRule ^(.*)$ /$1 [R=403,L]
Then in your showfile.php:
<?php
echo file_get_contents('http://www.domain.name.here/restricted/'.$_GET['file'].'?key=SECRET');
?>
This will prevent any access to the restricted folder and its contents but still allow your showfile.php script to access the file inside that folder and output it.
It would be better off to move restricted folder a level above site root and have your PHP code in showfile.php like this:
<?php
echo file_get_contents('/path/to/restricted/'.$_GET['file']);
?>
With rule simply as:
RewriteEngine on
RewriteRule ^restricted/(.*)$ showfile.php?file=$1 [L,QSA,NC]
I just started using Amazon S3 to host static files (images, videos, etc.).
For accessing the uploaded files, temporary links are created.
A temporary link looks like this one:
http://zeebit.s3.amazonaws.com/stackoverflow-logo.png?AWSAccessKeyId=AKIAIXEHEYSBDWAAXVVA&Expires=1346888760&Signature=B%2BS%2FlUoRXno3UfSqf9Ua0RuCcBc%3D
What I want is to serve these file through my url, something like this:
http://s3.mydomain.com/zeebit/stackoverflow-logo.png/AKIAIXEHEYSBDWAAXVVA/B%2BS%2FlUoRXno3UfSqf9Ua0RuCcBc%3D
I know I can redirect requests to http://s3.mydomain.com to the Amazon url via PHP (for example), but I don't want the address bar to change.
I can create a .htaccess to transform the url to the Amazon url, but as I know .htaccess can't redirect to external resources.
So, how can I solve this?
There are a couple of solutions:
.htaccess Solution #1 - Rewrite Rule
RewriteEngine On
RewriteCond %{HTTP_HOST} ^s3\. # Hostname starts with "s3."
RewriteCond %{REQUEST_URI} !-f # Not a file
RewriteCond %{REQUEST_URI} !-d # Not a directory
RewriteRule ^/(.+)/(.+)/(.+)/(.+)/(.+)$ http://$1.s3.amazonaws.com/$2?AWSAccessKeyId=$3&Expires=$5&Signature=$4 [R=302,L]
NOTE: Your initial desired URL was missing the "Expires" value, so the above would work for URLs formed like so:
http://s3.yourdomain.com/[[S3_Bucket_Name]]/[[S3_Filename]]/[[AWSAccessKeyId]]/[[Signature]]/[[Expires]]
So:
http://s3.mydomain.com/zeebit/stackoverflow-logo.png/AKIAIXEHEYSBDWAAXVVA/B%2BS%2FlUoRXno3UfSqf9Ua0RuCcBc%3D/1346888760
would redirect to
http://zeebit.s3.amazonaws.com/stackoverflow-logo.png?AWSAccessKeyId=AKIAIXEHEYSBDWAAXVVA&Expires=B%2BS%2FlUoRXno3UfSqf9Ua0RuCcBc%3D&Signature=1346888760
.htaccess Solution #2 - Redirect
Whilst being a less flexible solution than the above, you could put the following into your .htaccess file
redirect 302 /s3/ http://zeebit.s3.mydomain.com/
Using this rule, requests for
http://yourdomain.com/s3/stackoverflow-logo.png?AWSAccessKeyId=AKIAIXEHEYSBDWAAXVVA&Expires=B%2BS%2FlUoRXno3UfSqf9Ua0RuCcBc%3D&Signature=1346888760
Would basically retain everything after /s3/ and simply replace everything preceeding it with the Amazon S3 location.
http://zeebit.s3.amazonaws.com/stackoverflow-logo.png?AWSAccessKeyId=AKIAIXEHEYSBDWAAXVVA&Expires=B%2BS%2FlUoRXno3UfSqf9Ua0RuCcBc%3D&Signature=1346888760
I have player.php file which calls the video player to play a certain video. How can i block certain sites from accessing this file and using it to embed videos on there site. In other words What code can i use inside player.php to block certain sites from accessing this file only.
You can do this on three levels.
1) Web server
For instance, using .htaccess file if you're on an Apache server.
This could be done with a rewrite that pushes them to some dummy file or 404 or whatever you like. For example:
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} badsite\.com [NC]
RewriteRule .* - [F]
This is really the ideal way because it precludes the need to interpret PHP.
2) PHP
In your page, use the $_SERVER['HTTP_REFERER'] (which may not be set if there is no referrer) and search for the domain in question in the string.
This is second best, and may be your only option if you can't alter the Apache configuration.
3) Javascript
Doesn't really prevent access to anything, because the check happens client-side (they've downloaded player.php and the Javascript itself prior to running it). If they went directly to the video or whatever, it wouldn't stop them from getting the file. You would use the document.referrer and search for the domain as with the PHP example.
If you are using Apache and have access to your .htaccess file, I suggest you use that instead. This page is an excellent resource.
You could try something like this, assuming player.php is in your web root:
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^player\.php.*
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?your-domain\.com/ [NC]
RewriteRule .* http://your-domain.com/please-dont-steal\.php[NC]
You're better off dealing with this issue server side, so PHP is a good bet. You'll need to examine the HTTP referrer header to see whether you're being hotlinked.
there are lots of tricks you can do with Apache mod-rewrite and/or .htaccess
When I open my site without "www", like http://mysite.com/, then there is a problem with my website hit counter on the home page, which is done through AJAX.
The problem is that counter Image is not getting displayed.
It is showing blank.
There are similar problem on other pages where I have used AJAX to retrieve data.
To the cross-domain security policy, "mysite.com" and "www.mysite.com" are different domains, therefore AJAX requests aren't allowed between them.
The simplest solution is to take the domain out of your AJAX call and use a relative url, for example "/dir/ajax-callback.php" instead of "http://www.mysite.com/dir/ajax-callback.php"
You can create .htaccess file in your root dir and put this text inside
RewriteEngine on
RewriteCond %{HTTP_HOST} ^mysite.com [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [L,R=301]
This will make sure that every time user enters http://mysite.com, it gets redirected to http://www.mysite.com
The server has to support .htaccess and mod_rewrite