Securing Site Content/Images

Lets face it, its pretty difficult to secure site content and/or images on the internet. If it can be accessed via the web, it can probably be automated in someway to retrieve/download it.

A year or so ago, someone was telling me, the way they secure some image data, for their gallery, was to check the Http Referer, and if it matches their site, they let the images through.

This is great, however, the Http Referer is actually sent from the browser, so this technique depends upon two things:
a. The browser sends the correct Http Referer (which I’ve seen bugs with this).
b. Someone doesn’t spoof the Referer.

And with .NET this has even gotten easier, in fact, I whipped up a console app and was able to generate this code.

Imports System.IO
Imports System.Net
Imports System.Net.WebRequest

Module Module1

    Sub Main()



    End Sub

    Function FetchURL(ByVal SomeURL As String) As String
        Dim WebResp As HTTPWebresponse
        Dim HTTPGetRequest As HttpWebRequest
        Dim sr As StreamReader
        Dim myString As String

        HTTPGetRequest = WebRequest.Create(SomeURL)
        HTTPGetRequest.KeepAlive = False
        HTTPGetRequest.Referer = ""
        WebResp = HTTPGetRequest.GetResponse()
        sr = New StreamReader(WebResp.GetResponseStream(), System.Text.Encoding.Default)
        myString = sr.ReadToEnd()

        Return myString

    End Function

End Module



  • yup!

    In fact, I've written a HttpModule that deals with serving up images. I hope to post the code later this week.



  • There is a third option:

    c) The Referer is set.

    Some "privacy packages" (like Norton's) automatically strip referer headers from all HTTP requests. Of course it's required for some and the user can selectively enable referer's for a specific site, but by default, it's stripped out.

  • That good ol' print screen messes with it too, because even if you can stop someone from saving it, you have to still stop them from print screening it.

    The Jeff

Comments have been disabled for this content.