I have a folder on my site which contains several mp4 files. I have a php page on my site which is used to play those mp4 videos. I am new to htaccess and what I need is an htaccess that allows my videowindow.php to access the mp4 files but prevent access to those files if not from videowindow.php
Basically unless the video is being accessed by videowindow.php the video can not be accessed. I tried several examples I found here and there but none of them seem to work. Most of them deny access to the video files completely so they can't even be accessed by my own videowindow.php file.
Any help on this is appreciated.
You can do this by checking the HTTP "Referer" request field, but this in no way guarantees any access restrictions. The referer field can be easily forged.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://your-domain\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} !videowindow\.php$
RewriteRule \.mp4$ - [L,F]
This will make it so if a referer doesn't start with your domain and doesn't end with videowindow.php, then any access to mp4's will result in a 403 forbidden response.
Related
how i can:
ALLOW access to file from website
AND
DENY access to file from all which external to website
Using HTACCESS ?
For example website is stored in a webspace associated to domain: xxx.xx.
Inside a webpage i have a link as:
LINK
And:
Clicking on LINK then start video correctly
BUT
Typing from url (for example): http://www.xxx.xx/video/example.mp4 need return error 403 (denied access) blocking so playing and/or download of file: example.mp4
Thanks for help.
Since it is not easy to write a rule in comments, I am providing a rule which blocks access to a mp4 file based on HTTP_REFERER header value:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?xxx\.xx/ [NC]
RewriteRule ^video/example\.mp4$ - [F,NC]
However keep in mind that clients can spoof HTTP_REFERER header.
I have a site that plays music. The user can listen to a song only by navigating to a specific site on the server that retrieves the music file and presents it to the user through the audio html tag. In order to prevent the users from accessing directly the song's address I implemented a year ago the following htaccess script:
Header set Access-Control-Allow-Origin "http://myexamplesite.000webhostapp.com/"
ErrorDocument 403 /error404.php
ErrorDocument 404 /error404.php
Options -Indexes
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(myexamplesite\.)?000webhostapp [NC]
RewriteCond %{HTTP_REFERER} !^http://(myexamplesite\.)?000webhostapp.*$ [NC]
RewriteRule \.(mp3|png|jpg)$ - [F]
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?(myexamplesite.000webhostapp.com)(/)?.*$ [NC]
RewriteRule .*.(.zip|.rar|.exe|.mp3|.pdf|.swf|.psd)$ http://myexamplesite.000webhostapp.com/error404.php [R,NC]
This script has been working flawlessly until a week ago, when chrome and mozilla updated and since then I see the error below on the chrome developer tools.
The browser cannot load any media such as images, documents and music files as described in the script above.
When I remove the script the problem is resolved but by doing so lets the users access and hotlink my resources with great ease.
The most confusing part is that mobile browsers have not any problem while desktop ones show errors. For example the updated chrome and firefox mobile browsers can access the site normally with all those resources without the issues dealt on desktop browsers.
I have tested if the problem appears in various computers and it still appears.
I believe that the problem shows up in newly updated browsers because the problem does not show up on elder versions of mozilla firefox desktop browser (version 47).
What causes this problem? How can I deal with it? I need a solution that does not override the main purpose of the htaccess script; to not allow direct access and hotlinking to sensitive media (images, pdf documents and mp3 files).
I'm trying to make a file only accessible when you're on a specific page.
Like download.php, the user can click a link to the file and the download starts without problems.
But if you go to the link in the browser directly it should not work.
Could I use .htaccess for this? or how would I do this?
This is possible with .htaccess by checking for the ${HTTP_REFERER}, which is the previous url you were on.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.example.com/download.php
RewriteRule myFile.zip - [R=403,L]
This checks if the previous page was download.php, otherwise it rewrites the request for myFile.zip to a 403 error page.
Note that it is possible to forge a referer by intercepting / creating your own request. This does not provide 100% security.
I have a website that have some files that are accessed publicly. Anyone can download them.
I have discovered lately that a website has added links to these files. With this way they claim ownership of them and they consume my bandwidth since they fetch them from my server.
How can i block other websites to refer to my website files?
I don't care if this files are not crawled by Google since now i refer to them using the rel="nofollow"
Can anyone suggest a solution.
What you are looking for is preventing deeplinking of contents on your website. Try the following in appache httpd.conf file it will creates a failed request when hot linking of the specified file types occurs.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css|<whatever extensions you want to block>)$ - [F]
If the content you want to block is generated dynamically using some programming language, you can check if the referrer header matches your domain and then continue the processing of the request.
JAVA
"http://www.example.com".equals(request.getHeader("referer"));
PHP
$_SERVER['HTTP_REFERER']=="http://www.example.com"
I have got a contact form on my website with file attachment as well, that has been restricted only to pictures. Although if I type in example.com/uploads/ all the files are accessible by anyone. Is htaccess the best way to hide it? Also how could I do that in a safe manner, without messing up the contact form?
I have tried this, but it blocks the whole website
deny from all
<Files ~ “^w+.(gif|jpe?g|png)$”>
order deny,allow
allow from all
</Files>
if I type in example.com/uploads/ all the files are accessible
You mean you get a directory listing? This can be disabled in .htaccess:
Options -Indexes
To actively block all HTTP requests for files in the /uploads directory (since you state in comments that these are only ever accessed over FTP) then all you need is (in your root .htaccess file):
RewriteEngine On
RewriteRule ^uploads - [F]
This will respond with a 403 Forbidden for all requests that start /uploads.
Just to block access to example.com/uploads/ you can place this rule in /uploads/.htaccess:
RewriteEngine On
RewriteRule ^/?$ - [F]