Alternative Options to Referer in HTAccess

[BinaryData]

Hey Guys,

 

While cruising a few IRC channels over the weekend, I suggested someone use htaccess to block other websites from hotlinking. I was chastised up the ying-yang for that suggestion. They said that referrer information isn't transferred through TLS, and that it can cause issues for the end user. I wasn't aware of this, nor has anyone ever told me of this.

 

So my question is; what's an alternative? They said to just let it happen, it's not a big deal. Sorry, but I don't want someone else linking stuff from my services to someone elses site.

[+Zlip792 MVC]

If I am reading this correctly from the article - http://alistapart.com/article/hotlinking , even if the referrer is not passing, if you configure it properly then TLS pages (as mentioned) will still be able to access the images.

 

Also, I tried to google about 'neowin' and then open the news page, which is in HTTPS as shown in the below image but it was still having referrer information. (If I not mixing stuff up)

 

[BinaryData]

To be quite honest, @Zlip792 I don't really understand this stuff. I was told I was doing it wrong, so like a good kid, I'm researching it. I do need to enable https:// on the site too. =/

[+BudMan MVC]

where did you read that referrer is not in a tls connection?  Are you talking a link from a https site to a http?  If so then yeah browsers do not send the referrer, this is in this rfc https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3

 

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

 

You can use the newer Meta Referrer which modern browsers support.  A browser can be set not to send referrer info, so its always possible to bypass such a block if your saying that access to your stuff can not be a referred link, etc.

 

What exactly are you trying to prevent?  If you put up say an image, and you want to stop other pages from linking to it?  Why did you put up the image?  Why do you not require auth to access the image if you don't want others using it, etc.  if you put it up on the public net your kind of saying hey use this, etc

 

Don't provide http to your images another thing you can do.  https to https should send referrer info, etc.  If your page is not available http then then you shouldn't be seeing the https to http issue where referrer is missing, etc.  But again this does not stop access, this really just stops idiot webpages from linking to your ###### and not sending you referrer info.  If they send you referrer info then sure you can use .htaccess to block if that is what you desire.

 

What exactly did they say it would break.. Who gives a ###### what it breaks as long as it works how you want it to, ie users on your site accessing your stuff directly via your site, etc.

 

If you do not want the use of the image from anything other than your site, then you can block if the referrer is blank.  This could cause you issues if your using http links in your own site when your site is https..  But that would be just shooting yourself in your own foot